Cybersecurity gets the SEC's attention as agency plans to query advisers on safeguards

Regulator beginning to think computer breaches not only put clients at risk, they put the financial system at risk too

Apr 17, 2014 @ 2:25 pm

By Mark Schoeff Jr.

SEC, Finra, Heartbleed, Internet security, data breaches, Target, Neiman Marcus, advisers
+ Zoom

At a time when an online threat is panicking Internet users, the Securities and Exchange Commission has provided financial advisers with a detailed checklist of what it expects firms to provide in terms of cybersecurity protection.

The SEC on Tuesday posted a risk alert that outlines the areas it will assess in an upcoming examination of more than 50 registered investment advisers and broker-dealers.

The seven-page document contains 28 requests that cover an advisory firm's cybersecurity governance, ability to protect its networks and client information, ability to assess risks associated with remote client access and fund transfers and its use of vendors and other third parties.

The SEC also wants to know how a firm detects security breaches and what its experience has been with such incidents.

“Every financial firm in the U.S., and probably in the world, should spend some time reviewing [the alert],” said John Reed Stark, managing director of Stroz Friedberg, a digital risk management firm. “It is the prism through which the SEC is viewing cybersecurity. Firms should take advantage and use this inside information to prepare for the regulatory onslaught that is clearly beginning.”

Mr. Stark on what the SEC is looking for from firms in cybersecurity examinations.

The tone of the document shows a change in the SEC's thinking, according to Mr. Stark, former head of the agency's Internet enforcement office. It is looking at cyberpredators as a holistic danger.

“If a firm is attacked, it's no longer just a threat to the firm's customer, it's a threat to the global financial marketplace,” Mr. Stark said.

He participated in a daylong cybersecurity forum at the SEC on March 26. SEC Chairman Mary Jo White attended almost the entire event. The Financial Industry Regulatory Authority Inc., the broker-dealer regulatory, also plans to conduct cybersecurity examinations this year.

The increasing interest in cybersecurity comes as anxiety about the “Heartbleed” bug is sparking a worldwide rush to change passwords as retailers such as Target and Neiman Marcus have suffered massive customer data breaches.

One of the SEC's goals in its examinations is to acclimate itself to the current state of cybersecurity, according to Amy Lynch, president of FrontLine Compliance, a consulting firm.

“It looks very much like a fact-finding mission for the SEC,” Ms. Lynch said. “They want to learn how firms are utilizing technology and the controls they have in place around it.”

Even though the SEC is going to examine only a handful of firms, it is using the sweep to send a message about what it views as best practices, said Dan Bernstein, director of research and development at MarketCounsel, a compliance consulting firm.

The result is not going to be a specific set of instructions to follow. Cybersecurity safeguards will depend on how much access firms have to client information and how they manage it, Mr. Bernstein said.

(See also: American Funds urges new client passwords over Heartbleed)

“It's going to be facts- and circumstances-based,” Mr. Bernstein said. “Some firms will need more protections than others. The advisers that have a strong privacy policy, a data-protection plan, an identity theft program and a business continuity plan will be in strong shape.”

Larger firms will have an easier time passing muster than smaller firms, according to Ms. Lynch.

“Where it gets murky is for midsize and smaller firms that don't have robust IT departments,” Ms. Lynch said.

Cybersecurity is even more important in the financial advice industry than in retail, Mr. Stark said. If a department store is breached, customers likely will come back. They may not be as loyal to an adviser because the attack hits a more vulnerable place — their money.

“If you get a call from your broker or investment adviser that your account has been compromised, you're going to seriously contemplate transferring your assets elsewhere,” Mr. Stark said.

0
Comments

What do you think?

View comments

Recommended for you

Sponsored financial news

Upcoming Event

Apr 30

Conference

Retirement Income Summit

Join InvestmentNews at the 12th annual Retirement Income Summit - the industry's premier retirement planning conference.Much has changed - and much remains to be learned. Attend and discuss how the future is full of opportunity for ... Learn more

Featured video

Events

Carson Group's West: Family feud financial dynamics

Finding (and retaining) wealthy families to manage their wealth can be challenging. Carson Group's Paul West explains the secret to family success - and how can you keep them as clients for generations.

Video Spotlight

The Search for Income

Sponsored by PGIM Investments

Recommended Video

Path to growth

Latest news & opinion

T. Rowe Price steps up its game to serve financial advisers

The Baltimore-based mutual fund giant is more aggressively targeting financial advisers with a beefed-up wholesale crew and placement on custodial platforms.

The most important tax changes for 2018

The Internal Revenue Service issued inflation adjustments to more than 50 tax provisions for 2018.

Shift to Roth 401(k)s 'highly likely' part of tax reform: former Treasury official Mark Iwry

Mandated contributions to Roth accounts would likely only be partial, as opposed to having a full repeal of pre-tax accounts.

E*Trade acquiring custodian Trust Company of America

Discount broker buying second-tier custodian for $275 million.

Another thousand Dow points higher, and investors yawn

Market milestones keep falling like dominoes, with 51 records broken so far this year.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print