Broker-Dealers and Investment Advisors Under the Regulatory Microscope

Posted by on April 28, 2015 | Be the First to Comment

I don’t think I’m overstating the status quo by much when I say that regulators are focused on the cyber security practices of every regulated business. This is particularly true for securities broker-dealers and investment advisors.

Last year, the U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) announced that it would be auditing broker-dealers and investment advisors to assess their cyber risks and preparedness. The audits focused on practices relating to:

  • Identification of cyber risks;
  • Cyber security governance;
  • Protection of networks and information;
  • Remote access to client information and funds transfer requests;
  • Vendor risks; and
  • Detection of unauthorized activity

In February 2015, the OCIE released a risk alert summarizing the results of its audits of 57 registered broker-dealers and 49 registered investment advisors. The alert contains a breakdown of the sizes and types of firms examined. A few of the highlights are:

1. The vast majority of broker-dealers and investment advisors have written information security policies.
Although fewer firms audit compliance, 93 percent of broker-dealers and 83 percent of investment advisors now have written policies.

I expect the lack of audits to be a focus of the SEC and other regulators going forward. Regulators frequently stress the need for companies to have a “culture of compliance” with applicable information security rules and best practices. Companies that don’t audit for compliance are likely to have a lot of trouble satisfying their regulators.

2. Cyber risk assessments are common, but vendor assessments are less so.
Significant majorities of broker-dealers and advisors assess their cyber risks. Smaller numbers assess their vendors, with only 32 percent of advisors doing so. The OCIE also found that even smaller percentages of firms incorporate cyber security requirements into vendor contracts. Cyber security training of vendors is performed by only 51 percent of broker-dealers and just 13 percent of advisors have policies requiring it.

3. Most companies have experienced cyber attacks.
Cyber attacks appear to be common. Eighty-eight percent of broker-dealers and 74 percent of investment advisors have been attacked directly or through a vendor. The most frequent attack vectors are malware and fraudulent emails.

A typical fraudulent email is one directing the transfer of client funds. Twenty-five percent of the fraudulent email losses could have been prevented because they were caused by employee failures to follow identity authentication procedures.

I suspect regulators will focus on the relatively high incidence of employee failures going forward. I believe regulators are likely to examine a company’s ongoing training and testing of employees to assure that they are following required procedures. This would be consistent with the growing realization that cyber security is a human issue more than a technological one.

4. Cyber insurance is not as common as it should be.
A slim majority of broker-dealers (58 percent) have cyber policies. Only 21 percent of investment advisors have coverage. The existence of cyber insurance is one of the factors the SEC noted in its 2011 disclosure guidance relating to cyber security. That emphasis could lead the SEC to view the absence of coverage negatively.

The SEC isn’t the only regulator to have spoken recently about broker-dealer cyber risks. In February 2015, the Financial Industry Regulatory Authority (FINRA) issued its Report on Cybersecurity Practices. The report advocates a risk-based approach to cyber security, and identifies principles and effective practices for firms to follow. Some of the key points the report makes are:

  • A strong information governance framework, actively backed by the company’s senior leadership, is essential
  • Cyber risk assessments are vital
  • Necessary technical controls will vary depending on the company’s business
  • Incident response plans are essential and should be tested regularly
  • Companies must use due diligence to assure that vendors provide necessary cyber security
  • Employee training is extremely important
  • Companies should actively engage in information sharing activities with other broker-dealers
  • Cyber insurance should be considered

None of these points are surprising. They are consistent with the best practices followed by most companies. FINRA does state that it expects companies to consider the matters raised in the report, and that it will assess companies in that regard.

Broker-dealers should carefully review and consider the FINRA report.​


Executive Risk Report – Why Every Board Should Care About Cybersecurity

Posted by on April 23, 2014 | Be the First to Comment

ERR Spring 2014
The Executive Risk Report provides Lockton clients with timely, practical news about the legal and market dynamics affecting executive and professional liability coverages and claims.

Inside this issue:

  • Why Every Board Should Care About Cybersecurity
  • Representations and Warranties Insurance: Its Time Has Come
  • Deciphering Code: Understanding the Computer Fraud Insuring Agreement in a Commercial Crime Policy
  • Courtroom Case Notes: News You Can Use From Recent Decisions
  • Lockton Claims Advocacy in Action

Read it here.

International Engagement on Cyber: Developing Global Norms for a Safe, Stable, and Predictable Cyber Environment

Posted by on March 18, 2014 | Be the First to Comment

Cyber security has become a major priority for governments on a global scale. In February 2014, the U.S. government launched a Cyber Security Framework under Executive Order 13636 to support critical infrastructure industries in improving defenses against a cyber attack.

 On March 4th, international leaders including Secretary Michael Chertoff, General Michael Hayden, Rear Admiral Michael Brown, and Senator Sheldon Whitehouse, gathered in Washington D.C. to debate how the global community can come together to implement a common security approach.

 The International Engagement on Cyber 2014 was hosted by Georgetown University Institute for Law, Science and Global Security, and took place as planned, despite the threat of winter weather interrupting the meeting.

 The day included four panel discussions on topics such as national cyber strategies, Internet governance, national cyber security in a post-Snowden era, and the development of international norms for cyberspace.

 Key to overcoming our global cyber security challenges is an increased willingness for both the private and public sectors to share information, such as threat intelligence. I was pleased to participate in a panel discussing private/public partnerships to protect critical infrastructure. Co-panelists included Adam Sedgwick from NIST (National Institute of Standards and Technology), the architect of the new cyber security framework, as well as representatives of the Department of Homeland Security.

 The federal government has engaged the insurance industry directly to support the roll out of the framework and I expressed support for the initiative, as it will cement cyber security as a boardroom risk.

 For more information about cyber security, read my white paper, The Ever-Evolving Cyber Laws, and visit Lockton’s Cyber & Technology website.

Lockton Expert Talks Cyber Insurance with Marketplace

Posted by on | Be the First to Comment

High profile data breaches have brought cyber insurance into the media spotlight. Estimates indicate more than 70 million people who shopped at Target between Thanksgiving and Christmas had their personal data compromised, costing the company $60 million. However, Target expects to see that number drop to $17 million, thanks to cyber insurance coverage.

 In a recent story by American Public Media’s Marketplace, Lockton cyber expert Emily Freeman talks about the growing demand for cyber coverage. She stresses that this coverage serves only as a safeguard.

 “We sit on the shoulders of their best efforts to prevent the event from happening in the first place,” said Freeman.

 Cyber policies can be contingent on a company having protection measures in place to stave off a cyber attack or lessen its impact.

 Learn about Lockton’s Cyber Risk capabilities.

Lockton’s Beeson to Chair Cyber Risk Insights Conference in London

Posted by on January 31, 2014 | Be the First to Comment

Lockton’s cyber expert Ben Beeson will chair Advisen’s upcoming Cyber Risk Insights Conference in London on Tuesday 25 February 2014. Risk managers and insurance buyers may attend at no charge.

The agenda features 30 speakers discussing topics such as data security, privacy legislation, and the evolution of coverage products. The keynote address will be given by Lord Reid, Principal at the Chertoff Group and Chair of the Institute for Security and Resilience Studies. He was a Member of Parliament and served as a cabinet minister under Prime Minister Tony Blair.

“I am thrilled and honored to be chairing this conference,” said Ben Beeson. “Given the recent rash of cyber attacks, it’s crucial for risk managers to have a clear view of the threats and know their cyber insurance coverage options.”

The conference will explore the range of cyber risks with emphasis on emerging areas of concern where London insurance markets have taken a global leadership position. While the focal point is cyber insurance solutions, the agenda aims to give risk managers an understanding of the full range of cyber-related risk and insurance issues.

For more information and to register, visit the Cyber Risk Insights Conference website.