U.S. regulators review brokerage cybersecurity

The report from the SEC’s Office of Compliance Inspections and Examinations (OCIE) found that most of the firms it reviewed (88% of brokers and 74% of advisory firms) report that they have been the target of a cybersecurity incident — most of these involve fraudulent emails or malware.

Just over half of the broker-dealers it reviewed, and just under half of the advisers, reported receiving fraudulent emails seeking to transfer client funds, it says. The report indicates that 26% of those broker-dealers reported losses related to fraudulent emails of more than US$5,000; although no single loss exceeded US$75,000. One adviser reported a loss in excess of US$75,000 related to a fraudulent email. In general, these losses were not reported to regulators or law enforcement.

The report indicates that 25% of the broker-dealers that had losses related to fraudulent emails noted that these losses were the result of employees not following the firms’ procedures.

In its reports, FINRA says that broker-dealers identified the top three cyber threats as external hackers penetrating a firm’s systems; insiders compromising firm, or client, data; and, operational risks. The ranking of those threats varied by firm and by business model, it notes.

For example, it says that online brokerage firms and retail brokerages are more likely to list hackers as their top-priority risk, whereas firms that engage in algorithmic trading were more worried about insider risks. And, large investment banks, or broker-dealers, typically ranked risks from nation states, or hacktivist groups, more highly than other firms.

FINRA’s report also details practices that firms can use to strengthen their cybersecurity. It focuses on cybersecurity topics that can serve as a resource for firms developing, or enhancing their cybersecurity, including: governance and risk management; technical controls; incident response planning; vendor management; staff training; cyber intelligence and information sharing; and, the use of cyber insurance.

The self-regulatory organization says that while many of the practices discussed in the report are geared to large firms with sophisticated management structures, the regulator also believes that small firms can benefit too. “Much attention has been focused on advanced threats that firms face, and those certainly pose significant dangers. However, most successful attacks take advantage of fairly basic control weaknesses,” the report says. “While firms need to stay on guard, they can also take some comfort from this. To be sure, cybersecurity is challenging to address, but it is certainly not impossible. What is required is rigorous attention to detail and execution. Risk assessments can help firms identify and prioritize those steps that are most urgent to undertake. Information sharing can help firms understand the types of threats they may face and available mitigation measures.”

“Broker-dealers face a variety of rapidly evolving cybersecurity threats, which require a well-designed and adaptable cybersecurity program,” said Susan Axelrod, executive vice president for regulatory operations at FINRA. “Firms must make responding to these threats a high priority. This report builds on the insights from our recent cybersecurity sweep and highlights a series of principles and effective practices that firms can adapt to their particular circumstances.”

Investor alerts

In addition to the focus on firms, the regulators are also warning investors about these risks. Both FINRA and the SEC also issued new investor alerts encouraging investors to understand their firm’s cybersecurity policies.

FINRA’s new alert includes a series of questions investors can ask to help them better understand their firm’s cybersecurity activities and policies, as well as practical advice to help investors safeguard their brokerage accounts and personal financial information.

The bulletin from the SEC’s Office of Investor Education and Advocacy (OIEA), provides tips to help investors safeguard their online investment accounts.

“Cybersecurity threats know no boundaries. That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC,” said SEC chair, Mary Jo White. “Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks.”