Early in 2014, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) announced its intention to conduct an examination of certain registered broker-dealers and investment advisers in order to assess the general vulnerability of the securities industry, as a whole, to cyber-attacks. On February 3rd the OCIE released the results of the survey in the form a “Risk Alert” (the “OCIE Report“). On the same day the Financial Industry Regulatory Authority (FINRA) released a somewhat related report entitled “Report on Cybersecurity Practices” (the “FINRA Report”) which focuses on both identifying cybersecurity issues faced by broker-dealers and recommending strategies for combating them. While the results presented in both reports are generally positive, there were some surprising and notable weaknesses.
In conducting its examination the OCIE examined 57 registered broker-dealers and 49 registered investment advisers representing a cross-section of the financial services industry as noted in the Appendix to its Risk Alert (the “OCIE Report”). The OICE’s examination focused on analyzing: the general preparedness of the participant firms to cyber-threats/attacks; the steps taken by participant firms to proactively combat such threats/attacks; the actual incidence of such threats/attacks; and how the participant firms responded to such threats/attack. As noted in the OICE Summary:
“the [OCIE] staff collected and analyzed information from the selected firms relating to their practices for: identifying risks related to cybersecurity; establishing cybersecurity governance, including policies, procedures, and oversight processes; protecting firm networks and information; identifying and addressing risks associated with remote access to client information and funds transfer requests; identifying and addressing risks associated with vendors and other third parties; and detecting unauthorized activity.”
While the OCIE Report notes that the “staff held interviews with key personnel” of each participating firm, the OCIE’s study is based primarily on the responses received by the participating firms to its questionnaire. The questionnaire consisted of approximately twenty-eight (28) questions (some in multiple parts), a sample of which was released as part of the OCIE’s April 15, 2014 Risk Alert outlining the examination initiative.
Per the OCIE Report, most of the examined firms reported having been the subject of a cyber-related incident (either directly or indirectly through a third-party). That being said, the overall results of the OCIE’s examination were positive. Some of the highlights are as follows:
- The majority of participating broker-dealers and investment advisers had adopted written information security policies, and routinely conduct periodic risk assessments and policy audits (on a firm-wide basis) to identify cybersecurity threats/attacks;
- Almost half of the participating firms reported identifying best cyber-security practices through information-sharing networks and/or peer groups; and
- Almost all the examined broker-dealers (98%) and investment advisers (91%) make use of encryption in some form (more surprisingly to me however, is that there are actually some broker-dealers and investment advisers who are NOT using encryption … Really??).
Despite the positive results above, the study did identify two areas of glaring weaknesses which I will address in more detail later: third-party risk assessment policies and procedures; and use of insurance/allocation of loss. It should also be noted that, in conducting the examination, the OCIE relied on the information provided by the participating firms (either verbally or as part of the survey) and did not conduct any independent testing of the cybersecurity policies or procedures identified by the participating firms.
Similar to the OCIE examination, in preparing its report FINRA conducted a target examination of a cross-section of firms (though limited to registered broker-dealer firms) in order to identify the primary cybersecurity concerns currently plaguing the broker-dealer industry. Unlike the statistical focus of the OCIE Report however, the FINRA Report focused on presenting both a compendium of the main cybersecurity issues faced by broker-dealers as well as recommendations for mitigating the risks/adverse effects of each.
The FINRA Report is broken up into eight primary segments of concern:
- Governance and Risk Management for Cybersecurity;
- Cybersecurity Risk Assessment;
- Technical Controls;
- Incident Response Planning;
- Vendor Management;
- Staff Training;
- Cyber Intelligence and Information Sharing; and
- Cyber Insurance
Each segment of the report attempts to review the subject issue, in detail, and provide substantive proactive/reactive (as applicable) recommendations for mitigating the risks/adverse effects of such issue. What is particularly effective, in my opinion, is the use of a number of real life “Case Study” analyses in order to highlight the respective subject cybersecurity concern. Moreover, the FINRA Report includes the following very useful appendices:
- Appendix I – “Summary of Principles and Effective Practices”: This Appendix summarizes the general cybersecurity principles outlined throughout the report, and recommended practices in connection with such principles, in a very succinct and readable format;
- Appendix II – “The NIST Framework”: This Appendix outlines and explains the National Institute of Standards and Technology (NIST) “Framework for Improving Critical Infrastructure Cybersecurity Version 1.0” (use of which is recommended by FINRA); and
- Appendix III – “Encryption Considerations”: This Appendix outlines a very brief summary of issues affecting the selection and use of encryption technologies.
As noted above, one of the major areas of weaknesses is with respect to mitigating third-party security risks. Many broker-dealer and investment advisor firms engage, or otherwise work with, certain third-party vendors or other parties (e.g. accountants, business valuation analysts, issuers, etc.). Further, in most instances these third-parties are granted access (in varying degrees) to certain confidential information of the broker-dealer/investment advisor firm and/or their investors. Regardless of how strong a given firm’s cybersecurity policies may be, security breaches can easily arise when the cybersecurity policies of a third-party, who has access to the firm’s information, are lax or non-existent.
According to the OCIE Report, 84% of the participating broker-dealer firms, and only thirty-two percent of the participating investment adviser firms, required cybersecurity risk assessments of third-parties with access to their networks. Similarly, although specific percentages were not identified, the FINRA Report includes “Vendor Management” as one of its key discussion segments.
While the above percentages are cause enough for concern, I am going to go out on a limb and say that they would be downright scary if the OCIE Report surveyed broker-dealers and investment advisors who do a substantial amount of work with crowdfunding portals. This is not to say that crowdfunding portals (in general), and/or the broker-dealers/investment advisors that work with them, are not secure. With the growing number of portals however, it is hard for me to believe (and I could be wrong) that all of them have implemented strong cybersecurity policies (and even harder to believe that each of the broker-dealers/investment advisors the portals are working with have taken measures to require such policies). As the relationship between crowdfunding portals and broker-dealers/investment advisors can (and often do) result in the substantial sharing of confidential company and investor information, any broker-dealer/investment advisors working with a crowdfunding portal should require (and periodically audit) the cybersecurity policies of the portal to help mitigate breaches of their own system.
The second major area of concern is with respect to allocation of loss and whether a firm maintains insurance for cybersecurity incidents. Per the OCIE Report barely more than half (58%) of broker-dealers (72% per the FINRA Report however), and less than a quarter (21%) of investment advisors, maintain insurance for cybersecurity incidents. Moreover, of the broker-dealers and investment advisors participating in the OCIE Report and the FINRA Report, only a small portion actually had written policies and procedures addressing how to calculate, and whether they were responsible for, client losses associated with cyber incidents (and even fewer offering guarantees against such losses). Neither broker dealer nor investment advisor firms are currently required to carry insurance for cybersecurity incidents and/or have written policies addressing client loss in the event of such incidents (even under the new recommendations provided in the FINRA Report). That being said, given the low number of firms that actually have one or both of the foregoing, investors NEED to be aware of this fact when deciding to work (or to continue to work) with a particular broker dealer/investment advisor firm.
Both of the OCIE Report and the FINRA Report provide useful information in terms of the state of the industry with respect to cybersecurity risk. Many of us tend to think that financial institutions are somehow less prone, or have better cybersecurity, then other organizations. If there is one thing that these reports remind us it is that broker-dealer and investment advisor firms are still highly susceptible to cyber-attacks (even less sophisticated attacks such as email and phishing scams). Another major take-away of these reports, in particular the FINRA report, is that the SEC and FINRA are going to place continued concern on the cybersecurity practices of financial entities. While the FINRA Report makes it clear that it “does not create any new legal requirements or change any existing regulatory obligations,” I am hard pressed to believe that FINRA (and the SEC) will not be using the recommendations outlined in the FINRA Report as a rubric for evaluating a company’s respective cybersecurity policies/practices.
So, for all you financial companies out there, I highly suggest that you review your current cybersecurity policies and practices in light of the information provided in the FINRA Report (especially Appendix I). I am going to pass the same recommendation on to all you crowdfunding portals out there as well, as I am sure many of you will be held to the same standard soon enough (if not already).
Cheer up though … at least I’m not billing you for the excellent advice….