SEC Reports on Adviser Cyber-Risk Readiness

A Securities and Exchange Commission review of the financial services industry’s cybersecurity preparedness shows the vast majority of examined broker/dealers and advisers have adopted written information security policies.

According to the Securities and Exchange Commission (SEC)’s Office of Compliance Inspections and Examinations (OCIE), which recently examined the cyber-risk management capabilities of nearly 60 broker/dealers (B/Ds) and 50 registered investment advisers (RIAs), most broker/dealers (89%) and the majority of advisers (57%) conduct periodic audits to determine compliance with formal information security policies and procedures.

OCIE’s cyber-risk audit findings are explored at length in a recently published Risk Alert. Among the key findings of the nearly year-long auditing effort, OCIE says, is that financial services firms appear more and more aware of the extensive cyber-risk they face. To this end, most written policies and procedures for both the broker/dealers (82%) and the advisers (51%) discuss mitigating the effects of a cybersecurity incident and/or outline a formal plan to recover from one.

However, few written policies and procedures directly address how firms determine whether they are responsible for client losses associated with cyberincidents, OCIE says. This can prove problematic for advisers and broker/dealers accused of leaving client data or funds exposed to cyber-risks. 

“The policies and procedures of only a small number of the broker/dealers (30%) and the advisers (13%) contain such provisions,” the Risk Alert observes. “And even fewer of the broker/dealers (15%) and the advisers (9%) offered security guarantees to protect their clients against cyber-related losses.”

One positive sign of improving cybersecurity is that many firms are turning to external standards and other resources to model their information security architecture and processes. Most broker/dealers (88%) and many advisers (53%) reference published cybersecurity risk management standards, such as those from the National Institute of Standards and Technology, the International Organization for Standardization, and the Federal Financial Institutions Examination Council.

Other risk assessment results show broker/dealers outstrip advisers when it comes to cybersecurity. Only about a third of the advisers (32%) examined require cybersecurity risk assessments of vendors with access to their firms’ networks. Most broker/dealers (84%), on the other hand, require this type of assessment of vendors accessing their data networks.

Few firms can afford to be complacent in reviewing their cyber-risk preparedness, OCIE continues. Strikingly, most of the examined firms reported that they have been the subject of a cyber-related incident. A majority of  broker/dealers (88%) and advisers (74%) stated that they have experienced cyberattacks directly or through one or more of their vendors. Most of the cyber-related incidents are related to malware and fraudulent emails, OCIE points out.

Over half of the broker/dealers (54%) and just under half of the advisers (43%) reported receiving fraudulent emails seeking to transfer client funds. More than a quarter of those broker/dealers (26%) reported losses of more than $5,000, related to fraudulent emails; however, no single loss uncovered by OCIE exceeded $75,000. One adviser reported a loss in excess of $75,000 related to a fraudulent email, OCIE says, for which the client was made whole.

Critically, one-quarter of the broker/dealers with losses related to fraudulent emails noted that these were the result of employees failing to follow the companies’ identity-authentication procedures. The one adviser that reported a loss also said that its employees had deviated from its identity-authentication procedures, OCIE says.

Almost two-thirds of the broker/dealers (65%) that received fraudulent emails reported the emails to the Financial Crimes Enforcement Network (FinCEN) by filing a suspicious activity report, but only 7% of those firms reported the fraudulent emails to law enforcement or other regulatory agencies. With the exception of the investment adviser loss in excess of $75,000 related to a fraudulent email, as alluded to above, advisers generally did not report incidents to a regulator or law enforcement. 

Turning to internal cyberthreats, many firms identified misconduct by employees and other authorized users of the firms’ networks as a significant concern, but only a small proportion of broker/dealers (11%) and advisers (4%) actually reported incidents in which an employee or other authorized user engaged in misconduct resulting in the misappropriation of funds, securities or data.

In a positive sign, almost all the examined broker/dealers (98%) and advisers (91%) make use of encryption in some form. Many examined firms also provide their clients with suggestions for protecting their sensitive information, OCIE adds.

The office concludes the Risk Assessment by noting that its staff is still reviewing the cyber-audit information to discern correlations between the examined firms’ preparedness and controls, and their size, complexity or other characteristics. As noted in OCIE’s 2015 priorities, the office will continue to focus on cybersecurity using risk-based examinations.

“The staff welcomes comments and suggestions about how the commission’s examination program can better fulfill its mission to promote compliance, prevent fraud, monitor risk and inform SEC policy,” the Risk Alert says.

Advisers or broker/dealers suspecting or observing activity that may violate federal securities laws or otherwise harm investors are encouraged to notify the SEC here