Report on Current State of Cybersecurity Preparedness in Financial Institutions

By Patricia Uceda, Spring 2015 Graudate Research Assistant

The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) recently examined 57 registered broker-dealers and 49 registered investment advisers in an attempt to better understand how market participants are addressing cybersecurity issues. Given the recent JP Morgan security hack, it is clear that literally any financial institution can be attacked at any time. Because very important personal and financial information is at stake, it is vital that broker-dealers and investment advisers have adequate measures in place to deal with a cybersecurity attack.

The SEC assessed the readiness of financial institutions by examining their ability to identify cybersecurity risks, cybersecurity policies and procedures in place, ability to protect networks and information, and ability to detect unauthorized activity. By conducting this investigation, the SEC hopes to educate market participants and investors on the current state of cybersecurity preparedness in financial institutions.

Established Cybersecurity Policies and Procedures

The majority of examined broker-dealers and financial advisers have adopted written information security policies, and they conduct periodic checks to make sure those information security policies are being followed. These information security policies usually address cybersecurity risks, as well as how to mitigate the effects of a cybersecurity attack. However, these policies and procedures generally do not address whether firms are responsible for client losses associated with cyber incidents, and only 15% of broker-dealers offer security guarantees to their clients.

Almost all the examined broker-dealers and advisers stated that they use encryption in some firm to secure data. In addition, of the broker-dealers that offer online access, all of them provided their customers with some of information about how to reduce cybersecurity risks when conducting transactions with the firm through the use of periodic emails or newsletters.

How Firms Identify and Deal with Cybersecurity Attacks

The vast majority of examined firms conduct period risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences. However, only 84% of firms required and 32% of advisers required their vendors with access to their firms’ networks to conduct these cybersecurity risk assessments.

A majority of broker-dealers and advisers reported experiencing cybersecurity attacks either directly or through one of their vendors. Generally these incidents were related to malware and fraudulent emails seeking to transfer client funds. A quarter of broker-dealers reported losses relating to these fraudulent e-mails, although they noted that these losses were the result of employees not following the firms’ authentication procedures.

Two-thirds of the broker-dealers that received these fraudulent emails reported the emails to the Financial Crimes Enforcement Network (FinCEN), but they generally did not report the fraudulent emails to law enforcement or regulatory agencies.