In February, the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”)released a risk alert regarding the cybersecurity preparedness of the securities industry. OCIE examined 57 registered broker-dealers and 49 registered investment advisers as a part of its “Cybersecurity Examination Initiative” that was announced in the spring of 2014.
OCIE collected information from these firms regarding risks related to cybersecurity policies, remote access to client funds, designations of Chief Information Security Officers (“CISO”) and third party vendors. Key findings of the examinations are discussed below:
- Written Cybersecurity Policies
The vast majority of examined broker-dealers and registered investment advisers adopted written cybersecurity policies. However, only half of registered investment advisers had written policies in business continuity plans to counteract cybersecurity attacks. Most firms did not address who would be held responsible for client losses. Only 9% of investment advisers offered security guarantees for client losses. Advisers and broker-dealers should review their business continuity policies and consider any relevant updates with respect to cybersecurity issues.
- Role of Third Party Vendors
OCIE focused on the examined firms’ monitoring of third party vendors that have access to firm networks. 32% of investment advisers required third party vendors to conduct “cybersecurity risk assessments” and only 24% had cybersecurity requirements in their contracts. In contrast, almost 75% of broker-dealers had cybersecurity requirements in their third party vendor contracts. OCIE considers sharing of information with vendors to increase the likelihood of cyber-related incidents. Investment advisers should consider following the lead of these broker-dealers and include cybersecurity requirements in their third party vendor contracts.
- CISO or Chief Technology Officer (“CTO”)
Whether a firm designated a CISO or a CTO tended to vary on the type of firm: 68% of broker-dealers versus 30% of registered investment advisers identified a CISO. Registered investment advisers typically assigned CISO duties to a CCO or CTO. Though compliance will naturally be involved in cybersecurity policies for financial firms, given the complexity of these issues, technology experts should be more deeply and substantively involved.
- Cybersecurity Incidents
About 75% of both broker-dealers and registered investment advisers that were examined had experienced a cybersecurity incident. The most common issues involved fraudulent emails or malware. The fraudulent emails, in particular, should be considered a serious issue, given the Regulation S-ID requirements that became effective in May 2013 for SEC-registered investment advisers and others registered with the Commodity Futures Trading Commission. Read our article on this topic here.
Almost all examined firms had written policies in place, but 25% of broker-dealers cited employees not following procedures as a reason for losses, highlighting the importance of initial and ongoing training for all employees on key points of the policies. Consider holding a separate, more detailed training for those involved in client services, finance and other areas more likely to be on the front lines of a cyber-attack.
Even the smallest client loss, reimbursed by the firm, can damage its relationship with the client in question; a series of losses or other failures could erode confidence across the client base and invite regulatory scrutiny. Firms should be proactive in not only adopting policies, but emphasize training, monitoring and reevaluating policies in light of evolving threats.
- Final Thoughts
Many firms modeled cybersecurity policies and procedures on published works by the National Institute of Standards and Technology, the International Organization for Standardization and the Federal Financial Institutions Examination Council. Additionally, many firms considered industry organizations as means to gain more information about cybersecurity risks.
The OCIE risk alert highlights the cybersecurity priorities for OCIE and current industry practices. Investment advisers should recognize that cybersecurity testing will likely become a part of standard OCIE examinations in the future. Proper cybersecurity requires ongoing monitoring, robust training and possibly expensive IT infrastructure. However, firms must consider their duty to safeguard client information and assets. The time and money spent on cybersecurity can prevent a loss of client trust and a firm’s reputation.