Just days after the North American Securities Administrators Association convened its Cybersecurity Roundtable in late June, news headlines reminded us that cyberattacks are among our greatest global threats. The Petya ransomware attack, following closely on the heels of the similar WannaCry attack, focused renewed attention on the growing cybersecurity challenges facing government, industry and the public.
No investment advisor or securities firm of any size can afford the loss in client trust — much less financial losses — that will result from a serious cybersecurity failure. And no investor should have his or her personal information compromised.
Cybersecurity is a top priority for NASAA and its members — the state, provincial and territorial securities regulators in the United States, Canada and Mexico. I continue to work with my fellow securities commissioners throughout North America, as well as with other financial regulators, to identify specific threats and develop strategies to protect our financial infrastructure. NASAA also continues to work on this vital issue as a member of the Treasury Department’s Financial and Banking Information Infrastructure Committee.
NASAA’s June 23 roundtable brought together leading cybersecurity experts to assess current cyber threats to the financial services industry, how industry is responding to the threats, and regulatory efforts underway to help small and midsize investment advisor and broker-dealer firms protect critical client information from cybercriminals.
Statistics help map the battleground that we face. In 2016 alone, the number of U.S. data breaches reached an all-time high of 1,093, according to the Identity Theft Resource Center. That’s an increase of 40% over the 780 breaches reported in 2015.
Criminal data breaches will cost businesses a total of $8 trillion over the next 5 years, predicts a new report from Juniper Research. This report also forecasts that the number of personal data records stolen by cybercriminals will reach 2.8 billion this year and 5 billion in 2020.
Another study, by the specialist insurer Hiscox, found more than half of businesses surveyed in the United States, the United Kingdom and Germany were ill-prepared to deal with cyberattacks. Larger U.S. firms were targeted more often than others, with 72% experiencing a cyberattack in the last 12 months.
The study also found that the financial impact of cyberattacks was felt most deeply by smaller firms, which, surprisingly, also appeared to be more complacent than larger firms in their response to these attacks. Nearly one-third of smaller victims of cyberattacks indicated they planned no changes to their security measures.
These threats to the public mean that, as regulators, we must be vigilant. We need to closely monitor developments to promote best practices in the industry.
It is important that securities firms and professionals have the tools and information they need for cybersecurity. It is also essential to have the proper regulatory expectations and guidance in place for the securities industry.
Three years ago, NASAA conducted a survey of small and midsize RIA firms in nine states. Based on the survey results, NASAA developed a cybersecurity module for its coordinated examination program for use by members. This tool is being used as part of NASAA’s current investment advisor coordinated examinations to learn more about firm cybersecurity practices and procedures. This information also will help inform our consideration of a possible model cybersecurity rule for investment advisers.
There’s no question that cyberattacks are going to increase. As we go forward, we all have to focus on three basic areas: prevention, mitigation and, if you do happen to get hit, recovery.
Cybersecurity requires a collaborative approach involving industry and regulators. At NASAA, we will continue to explore new ways to provide resources for regulators and industry members to address cybersecurity issues, and we will continue to work collaboratively, so that we are all better prepared against cyberattacks.