On February 3, 2015, the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) published a highly-anticipated summary of its examination sweep of 57 registered broker-dealers and 49 registered investment advisors from a cross-section of the financial services industry to assess their vulnerability to cyber-attacks. The summary provides insight into some cybersecurity practices in the securities industry.
A broker-dealer is a person or company that is in the business of buying and selling securities, such as stocks, bonds, mutual funds, and certain other investment products, on behalf of its customers (as broker), for its own account (as dealer), or both. An investment adviser, on the other hand, is an individual or company who is paid for providing advice about securities to their clients. Both broker-dealers and investment advisors play a central role in the offer or sale of securities, and, as such, both are privy to highly sensitive information of countless individuals and companies. Thus, they are regulated by the SEC, and the strength of their cybersecurity practices is a high priority to the OCIE.
The sweep was conducted under the OCIE’s Cybersecurity Examination Initiative, announced April 15, 2014, and was intended to provide the SEC with a general picture of how registered firms identify cybersecurity risks, incorporate cyber risk preparedness into their corporate governance structure and policies and procedures, identify and address cyber risks associated with vendors and other third parties, and detect and respond to cyber security breaches.
The SEC’s summary of the results of the study revealed a high percentage of cyber security attacks among examined firms, as well as a variety of approaches (some more proactive than others) to preparing for and responding to cybersecurity breaches. Among these trends, the study noted the following:
Cybersecurity Incidents, Employee Adherence to Procedures and Reporting: Perhaps the most startling finding from the examination is how many of the examined broker-dealers (88%) and advisers (74%) acknowledged having experienced cyber-attacks, either directly or through one or more of their vendors. Not surprisingly, the majority of those attacks were related to malware and fraudulent emails. The specific nature of the cyber-attacks, as well as the resultant losses, varied among those examined. However, about half of the reported fraudulent emails involved requests to transfer client funds. Over a quarter of broker-dealers reported losses in excess of $5,000, but no single loss in excess of $75,000. One adviser, however, reported a loss in excess of $75,000.
As with cyber-attacks in other industries, the losses were due, in part, to employees not following the firms’ identity authentication procedures. In general, however, few firms identified employee misconduct resulting in the misappropriation of funds, securities, sensitive client, or firm information, or in damage to the firms’ networks.
Interestingly, broker-dealers report nearly two-thirds of the fraudulent emails to the Financial Crimes Enforcement Network by filing a Suspicious Activity Report, but neither broker-dealers nor advisors generally report such incidents to regulators or law enforcement agencies.
Written Cybersecurity Policies: As expected, a large percentage of examined broker-dealers (93%) and advisers (83%) have already adopted written cybersecurity policies, and most of them (89% of broker-dealers and 57% of advisers) conduct periodic audits to determine compliance with these policies.
The extent to which the policies address cybersecurity issues, however, varies widely. For example, many of these policies (82% for broker-dealers and 51% for advisers) discuss mitigating the effects of and/or recovering from a cybersecurity incident. Not surprisingly, only a few policies (30% for broker-dealers and 13% for advisers) discuss how to determine whether they are responsible for client losses associated with cyber-attacks, and even fewer (15% for broker-dealers and 9% for advisers) offer specific security guarantees to protect clients against such losses.
Both broker-dealers and advisers appear to be doing their homework when preparing their policies. The summary noted that the majority of broker-dealers (88%) and advisers (53%) reference published cybersecurity risk management guidelines or standards, such as those published by the National Institute of Standards and Technology, the International Organization for Standardization and the Federal Financial Institutions Examination Council, as well as other resources, to model their information security architecture and processes.
Periodic Cybersecurity Risk Assessments: Beyond merely putting cybersecurity policies in place, a significant majority of the broker-dealers (93%) and advisers (79%) examined in the sweep also conduct periodic risk assessments on a firm-wide basis to identify cybersecurity threats, vulnerabilities and potential business consequences. Many (84% for broker-dealers and 32% for advisers) also take the extra step and require periodic cybersecurity risk assessments of vendors with access to their firms’ networks.
Other Cybersecurity Trends: In addition to written policies and periodic assessments, most of the examined firms appear to be proactive in both educating themselves on cybersecurity threats and developing breach prevention and response procedures. Examples of these steps include the following:
- Identifying best practices through information-sharing networks, such as industry associations, conferences and independent research;
- Conducting firm-wide inventorying, cataloguing or mapping of technology resources, including physical devises and systems, software platforms and applications, network resources, connections and data flows, connections to firm networks from external sources, hardware data and software, and logging capabilities and practices;
- Incorporating requirements relating to cybersecurity risk into contracts with vendors and business partners, and maintaining policies and procedures relating to information security training for vendors and business partners authorized to access their networks;
- Using data encryption;
- Providing clients with suggestions for protecting their sensitive information and reducing cybersecurity risks in conducting transactions with the firm via either the firms’ websites, periodic emails or postal distributions;
- Designating a Chief Information Security Officer (“CISO”) to be responsible for cybersecurity oversight, or assigning another senior officer, such as the Chief Technology Officer, Chief Compliance Officer, Chief Executive Officer or Chief Operating Officer, to coordinate with third-party cybersecurity consultants who are engaged to oversee the firms’ cybersecurity; and
- Obtaining cybersecurity insurance.
The OCIE’s report concluded that although it cannot yet evaluate the strength of each firm’s cybersecurity policies and procedures, it will continue to review the results of the examination to discern correlations between the examined firms’ preparedness and controls and their size, complexity and other characteristics. The OCIE also indicated that it will continue to conduct risk-based examinations focused on cybersecurity. In the meantime, companies should consider using the OCIE’s examination findings as a reference point when conducting their own cybersecurity self-assessments.