The U.S. Securities and Exchange Commission is warning stock brokerages and financial advisers that a high threat exists for cyber attack, but says certain internal steps can be taken to better protect a firms assets and information.
Most brokerage firms (88%) and advisers (74%) have been the target of a cyber attack either directly or through one or more of their vendors, the SEC said Tuesday in a risk alert, citing findings from a cyber security examination program it conducted last year. The alert says firms, including insurance brokerages, are a routine target for cyber criminals.
The majority of cyber-related incidents reported by brokerages and advisers are related to malware and fraudulent emails, the SEC says, adding that more than a quarter (26%) of broker-dealers reported losses related to fraudulent emails of more than $5,000. One adviser reported a loss in excess of $75,000 related to a fraudulent email, for which the client was made whole, the SEC added.
In that case, the advisers employees had deviated from the firms identity authentication procedures, the SEC says. In fact, many (25%) of the broker-dealers that had losses related to fraudulent emails said the losses were also the result of employees not following the firms identity authentication procedures. Its a lesson employee benefit firms can learn from as well.
Cyber security is a persistent and growing threat, says SEC Commissioner Luis Aguilar, adding that the cyber security examination showed firms must take their cyber security duties seriously.
The SEC's Office of Compliance Inspections and Examinations inspected 57 broker-dealers and 49 investment advisers for its "Cybersecurity Examination Initiative."
The majority of examined broker-dealers (93%) and advisers (83%) say they have adopted written information security policies; and most of the broker-dealers (89%) and the majority of the advisers (57%) conduct periodic audits to determine compliance with these information security policies and procedures.
Most of the firms examined by the SEC said they also conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences. Not all firms require the same assessments of vendors with access to their networks, however, the SEC notes.
Most of the broker-dealers incorporate requirements relating to cybersecurity risk into their contracts with vendors and business partners (72%). In contrast, few of the advisers incorporate such requirements (24%).
Almost all of the examined broker-dealers (98%) and advisers (91%) say they make use of encryption in some form.
The SEC found many of the firms also provide their clients with suggestions for protecting their sensitive information.
The Financial Industry Regulatory Authority issued a separate report on Tuesday that also identified hacking as a major threat facing brokerages.
