Cybersecurity Crackdown: Where SEC, FINRA Will Strike

Think that your firm is too small or that your cyberdefenses are too strong to worry about digital attacks on your firm's—and your clients'—data? The SEC and FINRA don't think so. A reading of the regulators' official announcements and the insights of those who know how they operate suggest that advisors run the risk not only of compromised data but of major fines as the regulators gear up to make examples of firms for cybersecurity shortcomings.

Why the increased scrutiny? "We're not in Kansas anymore," said John Reed Stark of the digital security firm Stroz Friedberg in describing the current landscape for advisors. Over the past few years, attacks on advisors and their partners have morphed from the traditional account takeover—highjacking of passwords and user names—into more dramatic attacks involving sophisticated malware that is not only highly disruptive but hard to trace.

The SEC and FINRA are addressing the threat head-on, with both regulators listing cybersecurity as one of their top priorities this year and launching exam sweeps of broker-dealers and advisors that focus on the issue.

Failing to prepare for such exams could cost BDs and advisors dearly. The law firm Sutherland Asbill & Brennan recently predicted that future cybersecurity enforcement actions by the SEC could result in significant fines.

Brad Bondi, a partner with the law firm Cadwalader, who participated in a cybersecurity-related webinar with Stark that was sponsored by Securities Docket in early May, agreed that "there will be a 'message' case or two" out of the exam sweeps being conducted by the SEC and FINRA. "You don't want to be part of that handful of firms that will have enforcement actions."

Stark, who headed the SEC's Office of Internet Enforcement from 1998 to 2009, told IA that the SEC will be looking to make an example of firms with lax data security policies. "That's the way the [SEC] enforcement division does business," he said. "They bring cases and bring them loudly and strongly, and use them to send a message to the marketplace."

Before the latest exam sweeps began, Sutherland noted that securities regulators had already levied enforcement actions against firms based on cybersecurity governance failures like having inadequate written policies and procedures; failing to enforce written policies and procedures; failing to conduct periodic assessments of cybersecurity procedures and measures; and failing to respond to deficiencies identified through such periodic assessments. (See sidebar, "Cybersecurity: What the Regulators May Do")

While the security breaches at retail chains like Target and Neiman Marcus prompted the House Committee on Homeland Security to unanimously approve in early February H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013, Stark said that a "quiet evolution" has been taking place at the SEC for years to beef up its expertise regarding cybersecurity threats, first with the launch of the Office of Internet Enforcement in 1998, and then with former SEC Chairwoman Mary Schapiro's decision to heighten the agency's focus in 2010 on IT infrastructure issues, including requiring that an IT specialist accompany examiners for RIA exams.

Stark said that during his time at the SEC, account takeovers were the most prevalent security breach, not malware—which he described as malicious attacks that "infiltrate a network and exercises command or control with a large impact factor that is difficult to trace." But today, broker-dealers and advisors are increasingly susceptible to such attacks.

Indeed, during a cybersecurity roundtable held at the SEC's Washington headquarters in March, Craig Thomas, chief information security officer at Computershare, said that preparation is crucial to warding off attacks. Firms must "believe that you are going to get attacked. You have to be thinking ahead of the game; security is always trying to catch up with technology."

What Are the Risks?

Cyrus Amir-Mokri, assistant secretary for financial institutions at the Treasury Department, noted at the SEC roundtable that while the financial services industry is likely the "most advanced in terms of thinking about cybersecurity" as they have "become technology firms," firms should exert a constant effort to stay ahead of potential cybersecurity threats.

Top risks that broker-dealers face in dealing with cybersecurity threats are operational risk, "insider" risks posed by rogue employees and hackers penetrating BDs' systems, according to Daniel Sibears, executive vice president of member regulation programs at FINRA.

For advisory firms both large and small, "account takeover is the No. 1 risk" when it comes to cybersecurity, added David Tittsworth, executive director of the Investment Adviser Association (IAA). Account takeovers have grown over the past couple of years, he said.

But Stark said BDs and advisors are increasingly susceptible to malware-type attacks, which is where the SEC is shifting its focus. The SEC has had a "more narrow" focus regarding protecting customer data, he said. "Now it's more about protecting the marketplace overall from the ramifications of any data breach."

The SEC, he added, "has a history of getting in front of things, especially emerging technologies, and figuring out how best to regulate and enforce in those areas. This is what they are doing with respect to cybersecurity." Stark said that the commission has executed a "paradigm shift from protecting customers' data to protecting yourself from cybersecurity breaches overall."

Jane Jarcho, head of the SEC's investment advisor/investment company exam program, warned advisors at the IAA's compliance conference in March that "everybody has to be concerned about cybersecurity" and that there's "no pass for small firms."

Bondi noted during the webinar, which was dubbed "Cybersecurity and Financial Firms: Bracing for the Regulatory Onslaught," that smaller advisory firms, particularly those recently registered, will be the ones that will likely be "caught off guard the most" by the OCIE exams.

Stark agreed that smaller firms are more likely to lack the resources to comply with the SEC exam division's cybersecurity policies, which he called "extraordinarily exhaustive."

"To get good people to help you handle cybersecurity at your firm is not easy" and is tougher for smaller firms, Stark said, since they "don't have the capital to pay them nor the excitement to lure them."

What to Watch For

OCIE's National Exam Program recently released a risk alert providing BDs and advisors with a list of questions to help them assess their firms' cybersecurity compliance as well as a sample cybersecurity document request that they can expect from the division.

Simultaneous to the release of the risk alert, OCIE said that it launched cybersecurity-related exams of more than 50 registered broker-dealers and RIA firms.

Stark said the alert should serve as a wake-up call for every advisor. "I would bet that the vast majority of small investment advisors are going to be quite shocked by that questionnaire."

Jarcho has noted that examiners will be looking at firms' "resources going into information security, policies on cybersecurity risk, what policies are in place to prevent and respond to cyberattacks, lost information and identity theft."

Examiners, she said, will also ask about internal and external cyberattacks that may have occurred at advisory firms, and will look at a firm's policies on IT training, vendor access and vendor due diligence.

Some of the questions in the alert track information outlined in the Framework for Improving Critical Infrastructure Cybersecurity, released Feb. 12 by the National Institute of Standards and Technology. But OCIE warned BDs and advisors that the questions in the alert should not be considered "all inclusive" of the information that OCIE may request. Accordingly, OCIE said that it may well alter its requests for information as it considers "the specific circumstances presented by each firm's particular systems or information technology environment."

Prepared but Looking for Help

Both Bondi and Stark agree that the larger BDs and asset managers are taking pride in being more prepared for cybersecurity attacks. "I see a lot more preparedness and a greater sense of pride and urgency in their cybersecurity protections because today's large BD has lots of different functions going on and is a major player in the marketplace," said Stark.

While the law firm Sutherland predicted that advisors and BDs will likely see cybersecurity regulation or guidance from the SEC "in the near future," financial services officials urged both the SEC and FINRA to not issue rigid rules.

The "SEC should provide principles-based guidance due to the constantly changing landscape," argued Marcus Prendergast, corporate information security officer of ITG, at the March SEC roundtable.

FINRA's Sibears added that it was likely FINRA would "push out some effective practices," but whether the guidance would be rules- or principles-based, he couldn't say.

However, he said, "we recognize this is a rapidly changing environment, so there has to be a component that allows the industry to adapt."

Tittsworth added that industry officials he has spoken to have urged the SEC to "please resist the urge to impose rigid requirements."

Regardless of the strictness of the final rules, what's clear is that every RIA firm and every broker-dealer, regardless of size, should be preparing now to protect client data and their own data. Failure to do so could hurt your clients and your bottom lines.