SEC cybersecurity sweep provides view of industry practices

CybersecurityProtecting data and other digital assets from cyberattacks is a top priority for firms in the fund industry — and the SEC wants to be sure that the investment industry is ready to meet the challenge. Earlier this year, the Office of Compliance Inspections and Examinations launched an initiative to assess the cybersecurity preparedness of broker-dealers and investment advisers.

Ed Schmidt, the Senior Technology Officer for OCIE, reported on the results of that initiative to date, speaking at the NICSA General Membership Meeting, held in Boston on September 11-12. Schmidt summarized themes and findings from the over 100 examinations completed so far, divided roughly evenly between investment advisers and broker-dealers.

  • Biggest threats. When asked about risks, firms identified a network breach as their biggest concern. Other concerns included: social engineering, data leakage, mobile device security, malware, phishing, compromise of computers (through either cloud computing or vendor systems), compromise of customer email, hacking and vendor management. Firms expressed concern about the potential for criminals to avoid the security structure by going through customers and vendors.
  • The role of employees. Employee misconduct — either intentional or unintentional — ranked among the top three concerns. Firms recognized that controlling access to systems was critical.
  • Experience of attacks. Fully 87% of the firms examined had been through a cyberincident — and close to one in five had experienced attacks both directly and through vendors. Phishing was the most common type of attack, and at least one firm reported a transfer of customer funds based on a fraudulent email (because the registered representative involved didn’t adhere to the firm’s policies and procedures). Denial of service attacks were also reported. Extortion was the motivation in at least one of these attacks; one rendered a firm’s website unavailable for half the trading day. The firms involved in these attacks reported them to regulators and law enforcement. At least three incidents involved sending customer information to a personal email account or a personal device. Firms reported incidents where customer information was compromised through vendor systems.
  • The role of industry groups. The most progressive firms are participating in industry groups to learn about risks and best practices. These groups help firms keep up to date with the latest guidance from regulators and government agencies.
  • Defining frameworks. In terms of frameworks for structuring information system governance, some firms are referring to COBIT, Information Security Forum and SANS Institute. The COSO framework was too new at the time the examinations were conducted to be mentioned.

In general, Schmidt noted that, not unexpectedly, there was a big gap between smaller firms that can’t support segregation of duties and larger firms with a dedicated information security officer and cybersecurity team.

Speaking on the panel with the SEC’s Schmidt, Chris Hetner, Cybersecurity and Risk Management Executive with EY, reiterated the need for small firms to bring in outside expertise if needed. He emphasized that firms need to have a plan in place and practice it regularly. Firms must know where their key assets are — and which are most essential to their business.

NICSA: 8400 Westpark Drive, 2nd Floor McLean, VA 22102 • Tel: 508.485.1500 • Fax: 508.485.1560