SEC Cybersecurity Exam Sweep: Advisers Lag Behind Broker-Dealers
Advisers and broker-dealers are both moving on cybersecurity – but advisers appear to have a longer way to go.
That, at least, is one of the conclusions that can be drawn from the results of the SEC’s cybersecurity exam sweep of more than 100 advisers and broker-dealers. The results found that, in most categories, broker-dealers scored higher than advisers, and particularly so in certain specific categories, such as vendor contract requirements and having a designated cybersecurity officer on board.
The findings from the exam sweep, which covered cybersecurity practices in 2013 and early 2014, were summarized in the SEC’s National Exam Program risk alert, "Cybersecurity Examination Sweep Summary," issued February 3 by the agency’s Office of Compliance Inspections and Examinations. It reported that 74 percent of advisers and 88 percent of broker-dealers experienced cyberattacks directly or through one or more of their vendors. Of those attacks, most were related to malware or fraudulent emails.
"Cybersecurity threats know no boundaries," said SEC chair Mary Jo White. "Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyberattacks."
In April 2014, OCIE issued a risk alert in which it outlined its launch of a "cybersecurity initiative," following a Commission cybersecurity roundtable held the month before. The initiative included a planned examination of cybersecurity practices at advisers and broker-dealers, together with a seven-page list of 28 numbered questions asking for information in more than 70 cybersecurity areas (ACA Insight, 4/7/14). The results of that examination are the topic of this month’s new risk alert.
The new OCIE alert, however, does not go much beyond summarizing the results of its survey. "It would have been helpful if it gave some real guidance," said Sutherland partner Brian Rubin, something that he said the SEC may provide in a later alert.
Advisers should read both the SEC risk alert and the FINRA "Report on Cybersecurity Practices,
" also issued on February 3, Rubin suggested. The FINRA report, like the SEC alert, is based on a sweep examination, except that for FINRA the examination was of a cross-section of its membership, which includes broker-dealers, investment banks and clearing firms. At 46 pages, the FINRA report is longer and somewhat more prescriptive than the SEC’s seven-page alert.
"It contains good background and analysis on the issues, which would be of value to advisers and broker-dealers," Rubin said. "Advisers should read both of the reports, and then ask themselves, ‘Do we know what’s going on with these issues at our firm?’"
Observations and recommendations from the FINRA report include:
Firms should develop, implement and test incident response plans.
A sound governance framework with strong leadership is essential, with board- and senior-level engagement on cybersecurity issues.
Risk assessments are foundational tools to understand cybersecurity risks, regardless of a firm’s size or business model.
Firms should manage cybersecurity risks that rise from vendor relationships and exercise "strong due diligence across the life cycle" of these relationships.
Firms should take advantage of intelligence-sharing opportunities to protect themselves from cyberthreats.
SEC sweep exam results
What will the SEC do with the sweep exam results, other than disseminating them? "The staff is still reviewing the information to discern correlations between the examined firms’ preparedness and controls and their size, complexity or other characteristics," OCIE said in the risk alert. That might leave one to speculate that when those correlations are made, more prescriptive guidelines may be coming, Rubin said.
Following is a rundown of some of the results:
Information security policies and procedures. Most advisers (83 percent) and broker-dealers (93 percent) have written information security policies in place. Fifty-seven percent of advisers and 89 percent of broker-dealers conduct periodic audits to determine compliance with those policies and procedures.
Risk assessments. Seventy-nine percent of advisers and 93 percent of broker-dealers conduct periodic risk assessments, the results of which are used in establishing relevant policies and procedures. However, a significantly smaller percentage of advisers (32 percent) require a cybersecurity assessment of vendors with access to their networks, versus 83 percent of broker dealers that require the same.
Networking. Advisers rely on discussions with industry peers, attendance at conferences and independent research to find relevant cybersecurity practices and keep up to date on regulatory guidance, but the alert did not indicate the percentage that do. Almost half (47 percent) of broker-dealers, on the other hand, are members of industry groups, associations and other organizations to learn this information. Many of the brokers, and some of the advisers, use the Financial Services Information Sharing and Analysis Center.
Technology tracking. Advisers and broker-dealers both conduct firm-wide inventory cataloging of their technology systems. For instance, 92 percent of advisers and 96 percent of broker-dealers map out their physical devices and systems; 92 percent of advisers and 91 percent of broker-dealers catalog their software platforms and applications; 81 percent of advisers and 97 percent of broker-dealers map out their network resources, connections and data flow; and 74 percent of advisers and 91 percent of broker-dealers catalog their connections to firm networks from external sources.
Vendor contracts. Few advisers (24 percent) place cybersecurity requirements into their
contracts with vendors and business partners, while 72 percent of broker-dealers do. The same held true on the question of maintaining policies and procedures for vendor and business partner training on information security, with only 13 percent of advisers having such policies compared to 51 percent of broker-dealers.
Encryption. Almost all advisers and broker-dealers make use of encryption "in some form." Ninety-one percent of advisers reported that they do so, as did 98 percent of broker-dealers.
Client online access. Seventy-five percent of advisers with retail clients that permit clients to access their accounts online said they provide those clients with steps to reduce cybersecurity risk. Sixty-five percent of broker-dealers with retail customers that permit online access do so.
Designated official. Less than 30 percent of advisers have a designated chief information security officer, compared to 68 percent of broker-dealers. "Advisers often direct their chief technology officer to take on the responsibilities … or they have them assigned to another senior officer," such as the chief compliance officer, chief executive officer or chief operating officer, the OCIE staff said.
Cybersecurity insurance. Twenty-one percent of advisers have insurance for cybersecurity incidents, compared with 58 percent of broker-dealers. Either way, it hasn’t been used much. OCIE found that just one adviser and one broker-dealer had filed a claim.
Referring to the practices listed above, Joshua Larocca, vice president of Stroz Friedberg, a risk assessment firm, said that "when employees don’t follow the necessary procedures, it leads to exposure and potentially to losses."
Cybersecurity incident breakdown
Just under half (43 percent) of the advisers and more than half of the broker-dealers (54 percent) said they received fraudulent emails seeking to transfer client funds, according to the risk alert. "One adviser reported a loss in excess of $75,000 related to a fraudulent email, for which the client was made whole," the staff said. More than a quarter of the broker-dealers reported fraudulent email losses of more than $5,000, but no single loss was greater than $75,000.
One area involving cybersecurity incidents where there was a noticeable difference between broker-dealers and advisers was when the crime involved identity authentication procedures. Just one adviser reported a loss from an employee that deviated from such procedures, while 25 percent of the broker-dealers had losses tied to employees not following their identity authentication procedures. "Companies are recognizing more and more that we have to be just as concerned about the insider threat, from employees who make errors, as the external threat," Larocca said.
Advisers – with the exception of the one adviser that lost more than $75,000 – "generally did not report incidents to a regulator or law enforcement," the staff said. Yet two-thirds of the broker-dealers that received fraudulent emails reported them. The push today within the cybersecurity world is for companies to report to regulators and law enforcement, Larocca said, as it keeps these bodies up to date with what is happening, which can help prevent other occurrences, and offers the possibility that the bad actors will be held to account.
There was also some good news for both employees and employers, whether of advisers or broker-dealers. "While firms identified misconduct by employees and other authorized users of the firms’ networks as a significant concern, only a small proportion of the broker-dealers (11 percent) and the advisers (4 percent) reported incidents in which an employee or other authorized user engaged in misconduct resulting in the misappropriation of funds, securities, sensitive client or firm information, or in damage of the firms’ networks."
How the sweep was conducted
"Our examinations assessed a cross-section of the industry as a way to inform the Commission on the current state of cybersecurity preparedness," said OCIE directorAndrew Bowden. Here’s how:
Assets under management. Advisers with less than $400 million in AUM composed 36.7 percent of the adviser respondents, as did advisers managing more than $900 million. Advisers managing between $401 million and $900 million composed 26.5 percent of adviser respondents.
Client concentration. Retail and individual clients made up more than two-thirds (67.3 percent) of the adviser respondents. The rest of the adviser respondents were classified as follows: private funds, 14.3 percent; diversified/institutional funds, 12.2 percent; pension funds, 4.1 percent; and registered investment companies, 2.0 percent.
Custody. Sixty-seven percent of the adviser respondents reported having custody of client funds, while 33 percent reported not having custody.