I don’t think I’m overstating the status quo by much when I say that regulators are focused on the cyber security practices of every regulated business. This is particularly true for securities broker-dealers and investment advisors.
Last year, the U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) announced that it would be auditing broker-dealers and investment advisors to assess their cyber risks and preparedness. The audits focused on practices relating to:
- Identification of cyber risks;
- Cyber security governance;
- Protection of networks and information;
- Remote access to client information and funds transfer requests;
- Vendor risks; and
- Detection of unauthorized activity
In February 2015, the OCIE released a risk alert summarizing the results of its audits of 57 registered broker-dealers and 49 registered investment advisors. The alert contains a breakdown of the sizes and types of firms examined. A few of the highlights are:
1. The vast majority of broker-dealers and investment advisors have written information security policies.
Although fewer firms audit compliance, 93 percent of broker-dealers and 83 percent of investment advisors now have written policies.
I expect the lack of audits to be a focus of the SEC and other regulators going forward. Regulators frequently stress the need for companies to have a “culture of compliance” with applicable information security rules and best practices. Companies that don’t audit for compliance are likely to have a lot of trouble satisfying their regulators.
2. Cyber risk assessments are common, but vendor assessments are less so.
Significant majorities of broker-dealers and advisors assess their cyber risks. Smaller numbers assess their vendors, with only 32 percent of advisors doing so. The OCIE also found that even smaller percentages of firms incorporate cyber security requirements into vendor contracts. Cyber security training of vendors is performed by only 51 percent of broker-dealers and just 13 percent of advisors have policies requiring it.
3. Most companies have experienced cyber attacks.
Cyber attacks appear to be common. Eighty-eight percent of broker-dealers and 74 percent of investment advisors have been attacked directly or through a vendor. The most frequent attack vectors are malware and fraudulent emails.
A typical fraudulent email is one directing the transfer of client funds. Twenty-five percent of the fraudulent email losses could have been prevented because they were caused by employee failures to follow identity authentication procedures.
I suspect regulators will focus on the relatively high incidence of employee failures going forward. I believe regulators are likely to examine a company’s ongoing training and testing of employees to assure that they are following required procedures. This would be consistent with the growing realization that cyber security is a human issue more than a technological one.
4. Cyber insurance is not as common as it should be.
A slim majority of broker-dealers (58 percent) have cyber policies. Only 21 percent of investment advisors have coverage. The existence of cyber insurance is one of the factors the SEC noted in its 2011 disclosure guidance relating to cyber security. That emphasis could lead the SEC to view the absence of coverage negatively.
The SEC isn’t the only regulator to have spoken recently about broker-dealer cyber risks. In February 2015, the Financial Industry Regulatory Authority (FINRA) issued its Report on Cybersecurity Practices. The report advocates a risk-based approach to cyber security, and identifies principles and effective practices for firms to follow. Some of the key points the report makes are:
- A strong information governance framework, actively backed by the company’s senior leadership, is essential
- Cyber risk assessments are vital
- Necessary technical controls will vary depending on the company’s business
- Incident response plans are essential and should be tested regularly
- Companies must use due diligence to assure that vendors provide necessary cyber security
- Employee training is extremely important
- Companies should actively engage in information sharing activities with other broker-dealers
- Cyber insurance should be considered
None of these points are surprising. They are consistent with the best practices followed by most companies. FINRA does state that it expects companies to consider the matters raised in the report, and that it will assess companies in that regard.
Broker-dealers should carefully review and consider the FINRA report.