SEC Does Not 'Dictate' Cyber Controls, Cyber Chief Says

In assessing firms' cyber preparedness, the Securities and Exchange Commission is "looking for firms that have significant risks that they aren't disclosing," Robert Cohen, head of the agency's cyber unit, said Monday.

Speaking on a panel at the North American Securities Administrators Association's cyber roundtable in Washington, Cohen stated that it's not the "SEC's approach to dictate specific [cyber] controls" on regulated entities. "I don't know that that's the most effective way to ensure compliance. We do more, especially for the financial industry, through exams, to see what they're doing and see if they're prepared."

"For the commission to dictate you must do this, you must do that, sometimes we'll publicize best-practice issues … but generally, if the commission dictated something, I'd be concerned that it gets out of date really quickly."

The best source of expertise in the cyber realm, he added, "is within the industry and the consultants they employ."

What does the SEC look for when assessing firms' preparedness?

"Really you can learn a lot just by asking firms what they do to prepare" for cyber breaches, Cohen said.

Cohen cited the recent charge against Voya Financial Advisors Inc. for violating Regulation S-P or the Safeguards Rule and the Identity Theft Red Flags Rule, as "a classic mistake that we see."

Des Moines-based broker-dealer and investment advisor Voya, which agreed to pay $1 million to settle charges for cybersecurity failures that led to a cyber intrusion that compromised thousands of customers' personal information, "had policies and procedures and controls, but really didn't enforce it across the board," Cohen said.

The Voya case was the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule. "This case is a reminder to brokers and investment advisors that cybersecurity procedures must be reasonably designed to fit their specific business models," said Cohen, when the complaint was filed in late September. "They also must review and update the procedures regularly to respond to changes in the risks they face."

FBI Has Doubled Agents in Cyber Program

Meanwhile, Supervisory Special Agent Matthew Floyd of the FBI stated at the roundtable that cybercrime causes "billions of dollars of losses every year," and is the FBI's third priority behind counterterrorism and counterintelligence.

"We're continually banging our heads against a wall to try to figure out how we can better combat this," he said, adding that over the last several years the FBI has doubled the number of agents in its cyber program.

"As we look into cybercrime, very rarely does it not cross international borders," he added.

Business email compromise continues to be one of the top scams, with an average loss of $130,000.

Also "synthetic ID" is becoming a more prevalent scam against financial institutions, he said.

"An actor will take a real Social Security number and changing some of the variants of the personal identifying information and creating a 'synthetic ID' — a nonexistent person — they apply to some different credit lines, they had no credit to begin with … but then once you get denied credit, it actually creates a credit file. … Once they have that credit file established, they will attach it to someone else's credit — someone with good credit — … and over the course of six months that score will go from 300 up to 750, they'll detach it, and then they'll start opening bank accounts, credit cards…"

Financial institutions are "really struggling with this," Floyd said.

NASAA Initiatives

NASAA President-elect Frank Borger-Gilligan, who also serves as the assistant commissioner of the Tennessee Securities Division, within the state Department of Commerce & Insurance, noted at the roundtable that "last year, more than half of the adult online population in the U.S. were victims of cybercrimes," according to a 2017 Norton Cybersecurity Insights report.

Globally, cybercriminals stole $172 billion from 978 million consumers in over 20 countries in 2017. Cybercriminals, it was estimated, cost the world economy more than $600 billion last year, Borger-Gilligan said.

More alarming, he continued, financial services firms were "three hundred times more likely to be targeted than traditional American companies."

Last year, 61% of cyber victims were small businesses — which continue "to be the low-hanging fruit for cybercriminals," Borger-Gilligan said. "Smaller companies often lack the IT resources, the robust network defenses, and they mistakenly assume that they're too small to be targeted."

Couple this with the fact that 78% of nearly 18,000 state-registered investment advisors are one to two person shops, he added. "So it is clear how important the issue of cybersecurity is for our regulators."

More work is planned in the year ahead. This year, Borger-Gilligan said, NASAA is considering whether to adopt a model rule, which will provide "more direction to advisors and baseline protection for investors."

He noted that NASAA's Investment Adviser Section also recently published a model rule for public comment, which would require advisors to "adopt policies and procedures regarding information security," and will require them to deliver the policy annually to clients.

The comment period closes on Nov. 26.

— Check out People Have a False Sense of Cybersecurity: Study on ThinkAdvisor.