SEC searches for role in battling cyber threats

Investment advisers are experiencing an increasing number of online attacks, participants in a round-table discussion at the Securities and Exchange Commission told agency officials Wednesday.
David Tittsworth, executive director of the Investment Adviser Association, said the primary risk that wealth managers in his group face is “account takeover,” in which a hacker poses as a client and tries to manipulate accounts.
“It seems to have grown in frequency a lot just in the last year or two,” he said during the panel discussion.
The Financial Regulatory Authority Inc., the broker-dealer regulator, is in the middle of a cyber-security sweep of a cross-section of member firms, according to Daniel Sibears, Finra executive vice president for regulatory operations shared services.
Preliminary results show that the top cyber risks identified by brokers include operational disruptions, internal attacks by employees, external attacks by hackers, denial of service and phishing attempts.
(Learn which firms are most at risk for cyberattacks.)
The financial advice industry is especially vulnerable to cyberattacks because advisory businesses are based on trust between the financial adviser and a client, said John Reed Stark, managing director at digital forensics firm Stroz Friedberg.
“The risk to investment advisers is particularly scary because one data breach can bring down an investment adviser quickly,” he said.
Although small firms have fewer resources to combat online predators, the entire financial services industry faces substantial threats, said John Denning, senior vice president for operational policy integration, development and strategy at Bank of America Merrill Lynch.
“The cyber risk is high for any company,” he said. “The key is early warning.”
The SEC convened the forum to help it better assess cyber security in the financial services industry and identify ways to protect firms and investors. SEC Chairman Mary Jo White attended the entire five-and-a-half hour meeting, which featured federal and industry officials as well as lawyers and other experts
“There is no doubt that the SEC must play a role in this area,” said Luis Aguilar, the commission member who suggested Wednesday’s session. “What is less clear is what that role should be.”
Mr. Aguilar urged the SEC to set up a cyber security task force that includes staff members from each of the commission’s divisions.
“As I explored this issue, it became readily apparent to me that the commission has much to learn about the specific risks that our regulated entities and public companies are facing,” Mr. Aguilar said. “Given the extent to which the capital markets have become increasingly dependent upon sophisticated and interconnected technological systems, there is a substantial risk that a cyberattack could cause significant and wide-ranging market disruptions and investor harm.”
Cyber security has long been a worry for the U.S. government and business. Its profile increased even more recently following massive customer data breaches at retailers Neiman Marcus, Target and possibly Michaels.
Both the SEC and Finra have made cyber security an examination priority this year. Last year, the SEC approved a rule that requires advisers to implement written identity theft programs.
Round-table participants cautioned the regulators not to come up with cyber security regulations that would force them to follow certain procedures that may quickly be overcome by clever hackers.
“Please resist the urge to impose prescriptive requirements,” Mr. Tittsworth said.
Finra will use the results of its cyber security sweep to determine whether to propose rules or issue guidance to its member firms.
“We recognize this is a rapidly changing environment,” Mr. Sibears said. “There has to be a component that allows firms to adapt.”
Investment advisory firms are a tempting target for hackers, said Javier Ortiz, vice president of strategy and global government affairs at Taasera Inc., a cyber security software company.
Not only do they manage clients’ money, they also collect data that can identify them personally.
“Access to that information is what the bad guys really want,” Mr. Ortiz said on the sidelines of the conference. “I would like my financial adviser to take great care of their systems that will protect my information.”