A recent cyberattack on Sony Pictures Entertainment did more than lead to the limited Christmas release for the movie “The Interview.” It also served as a cautionary tale for Finra's pending data-collection proposal, according to a major financial industry interest group.
The Securities Industry and Financial Markets Association has been trying to stop Finra's Comprehensive Automated Risk Data System, which would enable the broker-dealer regulator to collect reams of brokerage account information on a monthly basis and analyze it for sales trends that could potentially harm investors.
“Housing all this financial data in one place does not make sense,” Ira Hammerman, SIFMA executive vice president and general counsel, said in a recent interview. “The Sony hacking incident gives everyone involved a real-life, real-time reminder of what we've been saying in our comment letters over the last year or so.”
The Financial Industry Regulatory Authority Inc. did not directly respond to Mr. Hammerman's assertion. It reiterated that it is reviewing comment letters and considering adjustments to CARDS.
In its Sept. 30 regulatory notice on the proposal, Finra addressed data-security concerns. It pointed out that CARDS will not collect personally identifiable customer information, such as name, address or tax identification number.
“In the absence of [personally identifiable information], Finra believes that CARDS would not contain information that would enable accounts to be linked across firms or that would reasonably enable a potential hacker to determine the identity of an account's owner,” the notice states. “Moreover, all data sent to Finra would be encrypted in transmission and after receipt in a way that would not permit anyone to read or interpret the data without the proprietary encryption keys.”
Those reassurances are not enough for Mr. Hammerman. He worries about creating a central repository for information such as securities transactions, holdings and account profiles.
“[Hackers] will figure out a way to link that sensitive information to some other database” and identify individual account holders, he said. “If the bad guys break into Finra, they've got everything.”
Hackers will not be able to do harm directly from the CARDS database, Finra said.
“Unlike financial firm account databases, access to the CARDS database would provide no ability for potential hackers to access or cause movements of either cash or securities,” the notice states.
A cybersecurity expert said that not all businesses have the same vulnerabilities as Sony, but the episode should remind them all to reassess their defenses.
“The attack demonstrates how problematic a major attack can be, even after all the attention that companies have devoted in recent months and years to improving cybersecurity,” John Villasenor, a nonresident senior fellow at the Center for Technology Innovation at the Brookings Institution wrote in an email. “That's a lesson that is certainly relevant to data collection in the context of providing brokerage services.”
The Sony attack is not the only recent talking point SIFMA has utilized to bash CARDS. Last week, it released the results of an online survey conducted by Harris Poll from Nov. 18-24 that shows that 69% of 1,103 respondents opposed CARDS after they were read a description of the proposal. Most of the respondents were not initially familiar with Finra.
Mr. Hammerman said the poll represented “the investors' voice saying 'thanks but no thanks' with respect to Finra proposing the CARDS system.”
He defended a poll that required that participants be educated on a topic before giving an opinion, leaving SIFMA room to shape perceptions during the process.
“We used a reputable firm,” Mr. Hammerman said. “There's total transparency with respect to the questions that were asked.”
Finra released its own poll earlier in the fall showing that investors are willing to pay more for stronger regulation.
“We will review the results of the SIFMA survey, as well as other investor surveys that are more broadly drawn, including comparing the results to a recent Finra survey on investor attitudes,” Finra spokesman George Smaragdis said in a statement.
Finra, the industry-fund broker-dealer regulator, has not indicated when it will take the next step on the CARDS proposal, which ultimately must be approved by the Securities and Exchange Commission before going into effect.