SEC Exams Reveal Mixed Bag of Financial Firms' Cyber-Security Efforts

Last year, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations examined 57 registered broker-dealers and 49 registered investment advisers in an effort to better understand how they address the legal, regulatory, and compliance issues associated with cyber-security. Now, as promised, OCIE is sharing what it learned.

Among the matters examiners studied were practices for identifying risks related to cyber-security; establishing cyber-security governance, including policies, procedures, and oversight processes; protecting firm networks and information; identifying risks associated with remote access to client information and transfer requests; addressing risks associated with vendors and third parties; and detecting unauthorized activity.

An OCIE risk alert released this week breaks down the findings of the Cyber-Security Examination Initiative:

The majority of examined broker-dealers and advisers have adopted written information security policies. Most of the broker-dealers (89 percent) and the majority of the advisers (57 percent) conduct periodic audits to determine compliance with these information security policies and procedures.

Written business continuity plans typically addressed the impact of cyber-attacks or intrusions.

Written policies and procedures generally did not address how firms determine whether they are responsible for client losses associated with cyber incidents.

Many firms are utilizing external standards and other resources to model their information security architecture and processes. Most of the broker-dealers (88 percent) and many of the advisers (53 percent) reference published cyber-security risk management standards, such as those published by the National Institute of Standards and Technology, the International Organization for Standardization, and the Federal Financial Institutions Examination Council.

The majority of examined firms conduct periodic risk assessments, on a firm-wide basis, to identify cyber-security threats, vulnerabilities, and potential business consequences. Fewer firms apply these requirements to their vendors.

A majority of the broker-dealers (88 percent) and the advisers (74 percent) said they have experienced cyber-attacks directly or through a vendor.

The majority of the cyber-related incidents were related to malware and fraudulent emails.

More than half of the broker-dealers and slightly less than half of the advisers reported receiving fraudulent emails seeking to transfer client funds. One-quarter of the broker-dealers that had losses related to fraudulent emails noted that these losses were the result of employees not following the firms’ identity authentication procedures.

Nearly two-thirds of the broker-dealers that received fraudulent emails reported them to the Financial Crimes Enforcement Network by filing a Suspicious Activity Report, but only a small number of those firms reported the fraudulent emails to law enforcement or other regulatory agencies (7 percent). Advisers, generally, did not report incidents to a regulator or law enforcement.

Many examined firms identify best practices through information-sharing networks. Almost half of the broker-dealers were members of industry groups, associations, or organizations that exist for the purpose of sharing information regarding cyber-security attacks and identifying effective controls to mitigate harm. Many identified the Financial Services Information Sharing and Analysis Center as adding significant value in this effort.

Most of the broker-dealers incorporated requirements relating to cyber-security risk into their contracts with vendors and business partners (72 percent); only 24 percent of the advisers incorporate such requirements. Similarly, a majority of the broker-dealers maintain policies and procedures related to information security training for vendors and business partners authorized to access their networks (51 percent), while a much smaller number of the advisers have such policies (13 percent).

The designation of a Chief Information Security Officer varied by business model. Approximately two-thirds of the broker-dealers have an individual explicitly assigned as the firm’s CISO; fewer than a third of the advisers have designated a CISO and often direct their Chief Technology Officer to take on the responsibilities typically performed by that position, or have assigned another senior officer (among them the Chief Compliance Officer, Chief Executive Officer, or Chief Operating Officer) to work with a third-party consultant on cyber-security oversight.