SEC, FINRA Warn on Cybersecurity
Regulators are resounding the alarm over the growing digital threats that advisors and broker-dealers face.
The SEC and FINRA both this week published the results of recent reviews of cybersecurity practices in the industries they regulate, issuing the renewed warnings. Over the past year, both regulatory bodies had been conducting so-called sweep exams of registrants' cyber defenses, an initiative they say will continue indefinitely.
"Cybersecurity threats know no boundaries," SEC Chairman Mary Jo White says in a statement. "That's why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC."
Echoing that sentiment is Susan Axelrod, FINRA's executive vice president for regulatory operations.
"Broker-dealers face a variety of rapidly evolving cybersecurity threats, which require a well-designed and adaptable cybersecurity program," Axelrod says in a statement. "FINRA is keenly focused on cybersecurity, and firms must make responding to these threats a high priority."
The twin reports are the latest examples of how government and industry regulators are taking a hard look at the way advisors and brokers protect their information systems and clients' data. Both groups recently identified cybersecurity as a top priority that examiners will be looking at when they conduct practice exams this year.
In its sweep, the SEC visited more than 100 advisors and brokers, evaluating how registered firms identify security risks and unauthorized network activity, the policies and procedures they have in place to protect their systems and data, and issues relating to third-party vendors and remote access to client information, among other areas.
That process culminated in the Monday publication of a risk alert detailing the findings of the exams, and an investor bulletin offering tips for consumers to better protect their personal information, such as keeping strong passwords and changing them often, and exercising care when using public computers and wireless networks.
The same day, FINRA released its own, far longer report recapping its sweep, along with an investor alert calling on brokerage customers to familiarize themselves with the security practices of the firms that hold their accounts.
Both regulators stress the fast-moving and increasingly sophisticated nature of the threats in cyberspace, though FINRA's report reads as the more prescriptive document, identifying several tactics that might be considered best practices. Those include establishing a strong governance framework that involves senior-level personnel with the firm's cybersecurity operations, and emphasize the importance of employee training, conducting due diligence in dealings with third parties, and developing and testing incident response plans.
The SEC's risk alert, in contrast, only outlines the findings of the sweep, presented in the form of the results of a survey.
Those exams unearthed significant variations in the practices of RIAs and broker-dealers. For instance, 68% of brokers examined report that they have designated a chief information security officer, compared to just 30% of advisors who have done the same. Substantial majorities of advisors (83%) and brokers (93%) have written information-security policies in place, but while 89% of the brokers say that they conduct periodic audits to test compliance with those policies, only a slim majority at 57% of advisors say that they perform those reviews.
SEC examiners interviewed a variety of people at the firms they visited, which were varied in size and business model. The commission says it engaged in "limited testing" to verify the accuracy of advisors' responses, but did not look at the technical aspects of their defense mechanisms.
Laura Grossman, assistant general counsel at the Investment Adviser Association, welcomes the timely release of the SEC's report -- it had been rumored to be coming out later this year -- and suggests that advisors review the findings and "incorporate what they feel is reasonable and appropriate for their firm."
Cybersecurity can be a nettlesome issue for advisors, who at times express frustration about the challenges of trying to protect their systems and clients' information against a constantly evolving set of threats.
"I think the 'World Wide Web' is the 'Wild, Wild West,' and people are still trying to get their hands around how do you handle it," says Kevin Myeroff, president and CEO of NCA Financial Planners in Cleveland.
Cybersecurity has been the subject of considerable debate among policymakers and members of Congress, who have been weighing the proper role of government in supporting private-sector efforts to secure their systems and respond to attacks. But underpinning those discussions is the understanding that any government mandate cannot be overly prescriptive on technical issues, that there is no sense -- but the potential for considerable harm -- in regulating areas like intrusion prevention and network segmentation.
"It's a moving target, in the sense of what's appropriate five years ago would not be appropriate today," says Glen Barrentine, a partner at the law firm Winston & Strawn.
The IAA's Grossman is no proponent of stiff regulations in the cyber arena, and cautions against the SEC taking harsh action against advisors who fall prey to an attack.
"We never want to see enforcement activity in our industry, especially with something like cybersecurity where it's ever-changing," she says. "Even your best efforts can result in a breach. So we don't want to see our members punished for things beyond their reasonable control."
At the same time, she suggests that the SEC could help the industry by producing a more thorough account of what the examiners found in their sweep, offering advisors a better sense of how to shore up their cybersecurity programs.
"Any further and more detailed information about the practices and procedures they saw would be useful," Grossman says. "It's a very summary description of what they were looking at."
- SEC Warning: Small Firms Won't Get a 'Pass' on Cybersecurity
- Cybersecurity Best Practices: 6 Tips
- SEC Examiners to Focus on Retirement Planning Issues