Outside voices and views for advisers

Cyber assailants targeted in important new security sweep

The skill and sophistication of attackers are often outpacing firms' ability to protect themselves

Jun 7, 2018 @ 10:41 am

By Guy F. Talarico

According to compliance and cybersecurity experts, financial industry regulators are embarking on a new cybersecurity sweep, with a focus on registrants' data loss prevention, oversight of third-party service providers and incident response planning.

And with good reason. Cyber assailants continue to perpetrate increasingly sophisticated attacks on U.S financial institutions, including exploiting weaknesses to steal valuable data and breaching third-party information service provider systems. Yet many firms remain woefully ill-prepared to fend off the latest threats and lack actionable incident response plans to recover from a breach.

In the wake of minor malware attacks just five years ago, a newer breed of cyberthreats is a growing national concern. The latest of these include opportunistic phishing attacks, which are broad efforts to infect as many computers as possible. In contrast, more targeted "spear-fishing" attacks focus on specified individuals to perpetrate higher-value crime that is much harder to trace. An example of the latter includes organized crime rings that search social media sites to identify financial industry executives such as hedge fund managers, to compromise their accounts.

Equally as clever, criminals often create fake email accounts that are very similar to those of their targets, changing just one letter in the email address, an activity referred to as "typo-squatting."

Michael Brice, co-founder of BW Cyber Services, has seen multiple cases of fraudulent capital calls in which investors were duped into sending wire transfers to illicit accounts. And these activities are not insignificant, with wire transfers ranging anywhere from hundreds of thousands to millions of dollars irretrievably lost.

For cryptocurrency funds, the cyber stakes may be even higher. Not only are individual criminals involved, but organizations and countries like Korea are being traced to crypto-cyber malfeasance.

The skill and sophistication of attackers are often outpacing registrants in their ability to protect themselves. "Some simple security practices and operational precautions related to the collection and storage of personally identifiable information — a top regulatory priority — will go a long way to mitigating regulatory and even litigatory issues should a breach occur," Mr. Brice said.

Another regulatory focus area involves third-party service providers. When companies engage information technology service providers, they should review their cybersecurity policies and procedures, and not assume a provider is up to the task of protecting their data.

"Firms should require that their vendor either has deep technical expertise or enhanced security protection for systems and data as there is a strong possibility they are not doing it or not doing it very well," Mr. Brice explained.

Thus, even firms that are making their best effort to minimize cyberrisk may be operating with a false sense of security because executives often make incorrect assumptions regarding the risks they are dealing with. For instance, cyber insurance policies rarely cover wire transfers, Mr. Brice added. Yet this is one of the primary reasons organizations get cybersecurity policies in the first place.

As outlined in their respective 2018 examination priorities notifications, the Securities and Exchange Commission and the Financial Industry Regulatory Authority Inc. are focusing their resources on examining the quality of registrants' written cybersecurity policies and procedures.

In February, the SEC issued guidance to encourage companies to assess the sufficiency of cybersecurity policies and procedures in part to satisfy federal securities law disclosure obligations. One goal of the guidance is to prevent directors and other insiders from making selective disclosures about cybersecurity risks or incidents and then trading on that information.

An important part of a firm's cybersecurity plan, vulnerability assessments and supporting penetration testing, or pen tests, aim to reveal security weaknesses before attackers do. The SEC allows leeway as to how firms conduct cyber pen testing but expect registrants to engage third-party experts to assist in this process. Doing so ensures both the quality and independence of testing results.

The cybersecurity plan must be customized to each firm and encompass a holistic approach to periodically assess, remediate and test the organization. Many firms engage cyber experts and compliance professionals to develop a cybersecurity plan as part of the compliance program.

Experienced professionals can ensure that a registrant's compliance program and cybersecurity plan address regulators' top focus areas — data loss prevention, third-party service providers, and response planning — and that the technical testing matches the registrant's risk profile.

The costs of retaining experts entails cost upfront, but those costs could be far outweighed by the reputational and financial impact of a breach. Moreover, it will help firms maintain an audit-ready posture.

(More: Financial professionals targeted by sophisticated 'keylogger' malware)

Guy F. Talarico is CEO of Alaric Compliance Services.


What do you think?

View comments

Recommended for you

Upcoming Event

Jul 10


Women Adviser Summit

The InvestmentNews Women Adviser Summit, a one-day workshop now held in four cities due to popular demand, is uniquely designed for the sophisticated female adviser who wants to take her personal and professional self to the next level.... Learn more

Featured video


Dynasty's Penney: The professionalization of the RIA industry

The RIA profession is evolving rapidly, but why and how? Shirl Penney of Dynasty Financial examines how the industry is growing and consolidating and what's next.

Latest news & opinion

Meet our new 40 Under 40s

For a fifth year, InvestmentNews is proud to shine a spotlight on the amazing accomplishments and potential of top young financial professionals.

Merrill re-evaluates commission ban in retirement accounts

The wirehouse's wealth management group announces a fresh look at the ban now that the DOL rule is on the brink of death.

10 biggest retirement mistakes

Adhere to enrollment deadlines and distribution rules or pay a hefty penalty.

DOL fiduciary rule on brink of death as key deadline passes

Justice Department didn't petition the Supreme Court to rehear the case. A mandate from the 5th Circuit would finally lay the fiduciary rule to rest.

Finra to overhaul broker information system, cut compliance costs for broker-dealers

The move is intended to cut compliance costs for firms as well as make the registration and disclosure process more efficient.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting investmentnews.com? It'll help us continue to serve you.

Yes, show me how to whitelist investmentnews.com

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print