Cybersecurity Preparedness Exams Results Are In!

The Securities and Exchange Commission (SEC) recently published the results of its cybersecurity preparedness examinations of more than 100 broker-dealers and investment advisers.

The report highlights that while investment firms are increasingly being targeted by cyberattacks, they are also actively taking steps to address the threats.  The SEC’s Cybersecurity Preparedness Examination Initiative included 57 registered broker-dealers and 49 registered investment advisers, who were selected by the agency to provide perspectives from a cross-section of the financial services industry and to assess various firms’ vulnerability to cyber-attacks.

Examiners specifically gathered information regarding the firms’ practices for: identifying risks related to cybersecurity; establishing cybersecurity governance; protecting firm networks and information; identifying and addressing risks associated with remote access to client information and funds transfer requests; identifying and addressing risks associated with vendors and other third parties; and detecting unauthorized activity.

Below are some of the SEC’s key findings:

• Cyberattacks are common. A majority of the broker-dealers (88%) and the advisers (74%) stated that they have experienced cyber-attacks directly or through one or more of their vendors.
• The majority of the incidents are related to malware and fraudulent emails. Approximately half of the examined firms reported receiving fraudulent emails seeking to transfer client funds. More than one-quarter of broker-dealers reported losses related to fraudulent emails of more than $5,000; however, no single loss exceeded $75,000. One adviser reported a loss in excess of $75,000 related to a fraudulent email, for which the client was made whole.
• Most firms have written policies and procedures in place. A large percentage of examined broker-dealers (93%) and advisers (83%) have adopted written information security policies. However, few address how firms determine whether they are responsible for client losses associated with cyber incidents.
• Data security is a top concern. Almost all the examined broker-dealers (98%) and advisers (91%) make use of encryption in some form.
• Most broker-dealers (93%) and advisers (79%) conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences. However, a much smaller percentage (only 32% of advisers) report that they conduct the same assessments of their vendors.
• The use of cybersecurity insurance varied by industry. More than half of the broker-dealers maintain policies that expressly cover cybersecurity incidents and losses. In contrast, less than one-quarter of the advisers examined maintain cybersecurity insurance.

In connection with the report, the SEC also released an Investor Bulletin that contains tips for protecting online brokerage accounts from fraud. Recommended precautions include picking a strong password, enabling two-factor authentication, avoiding the use of public computers/public wireless connections to access investment accounts, exercising caution when clocking email links, and regularly reviewing account statements for suspicious activity.