SIFMA says Sony hack is cautionary tale for CARDS

The recent cyberattack on Sony Pictures Entertainment holds lessons for Finra's pending data-collection proposal, SIFMA executive argues

Dec 23, 2014 @ 12:37 pm

By Mark Schoeff Jr.

A recent cyberattack on Sony Pictures Entertainment did more than lead to the limited Christmas release for the movie “The Interview.” It also served as a cautionary tale for Finra's pending data-collection proposal, according to a major financial industry interest group.

The Securities Industry and Financial Markets Association has been trying to stop Finra's Comprehensive Automated Risk Data System, which would enable the broker-dealer regulator to collect reams of brokerage account information on a monthly basis and analyze it for sales trends that could potentially harm investors.

“Housing all this financial data in one place does not make sense,” Ira Hammerman, SIFMA executive vice president and general counsel, said in a recent interview. “The Sony hacking incident gives everyone involved a real-life, real-time reminder of what we've been saying in our comment letters over the last year or so.”

The Financial Industry Regulatory Authority Inc. did not directly respond to Mr. Hammerman's assertion. It reiterated that it is reviewing comment letters and considering adjustments to CARDS.

In its Sept. 30 regulatory notice on the proposal, Finra addressed data-security concerns. It pointed out that CARDS will not collect personally identifiable customer information, such as name, address or tax identification number.

“In the absence of [personally identifiable information], Finra believes that CARDS would not contain information that would enable accounts to be linked across firms or that would reasonably enable a potential hacker to determine the identity of an account's owner,” the notice states. “Moreover, all data sent to Finra would be encrypted in transmission and after receipt in a way that would not permit anyone to read or interpret the data without the proprietary encryption keys.”

Those reassurances are not enough for Mr. Hammerman. He worries about creating a central repository for information such as securities transactions, holdings and account profiles.

“[Hackers] will figure out a way to link that sensitive information to some other database” and identify individual account holders, he said. “If the bad guys break into Finra, they've got everything.”

Hackers will not be able to do harm directly from the CARDS database, Finra said.

“Unlike financial firm account databases, access to the CARDS database would provide no ability for potential hackers to access or cause movements of either cash or securities,” the notice states.

A cybersecurity expert said that not all businesses have the same vulnerabilities as Sony, but the episode should remind them all to reassess their defenses.

“The attack demonstrates how problematic a major attack can be, even after all the attention that companies have devoted in recent months and years to improving cybersecurity,” John Villasenor, a nonresident senior fellow at the Center for Technology Innovation at the Brookings Institution wrote in an email. “That's a lesson that is certainly relevant to data collection in the context of providing brokerage services.”

The Sony attack is not the only recent talking point SIFMA has utilized to bash CARDS. Last week, it released the results of an online survey conducted by Harris Poll from Nov. 18-24 that shows that 69% of 1,103 respondents opposed CARDS after they were read a description of the proposal. Most of the respondents were not initially familiar with Finra.

Mr. Hammerman said the poll represented “the investors' voice saying 'thanks but no thanks' with respect to Finra proposing the CARDS system.”

He defended a poll that required that participants be educated on a topic before giving an opinion, leaving SIFMA room to shape perceptions during the process.

“We used a reputable firm,” Mr. Hammerman said. “There's total transparency with respect to the questions that were asked.”

Finra released its own poll earlier in the fall showing that investors are willing to pay more for stronger regulation.

“We will review the results of the SIFMA survey, as well as other investor surveys that are more broadly drawn, including comparing the results to a recent Finra survey on investor attitudes,” Finra spokesman George Smaragdis said in a statement.

Finra, the industry-fund broker-dealer regulator, has not indicated when it will take the next step on the CARDS proposal, which ultimately must be approved by the Securities and Exchange Commission before going into effect.


What do you think?

View comments

Recommended for you

Upcoming Event

Mar 14



InvestmentNews is honoring female financial advisers and industry executives who are distinguished leaders at their firms. These women have advanced the business of providing advice through their passion, creativity, inclusive approach and... Learn more

Featured video


Where in the U.S. are RIAs growing the fastest?

InvestmentNews' deputy editor Robert Hordt talks to senior columnist Jeff Benjamin about his report on how registered investment advisers are faring in different regions of the country.

Latest news & opinion

Top 10 RIAs in the South

These are the largest registered investment advisory firms in the Southern U.S., based on AUM.

Top 10 RIAs in the Midwest

These are the largest registered investment advisers in terms of AUM in the Midwestern U.S.

Top 10 RIAs in the Northeast

These are the largest registered investment advice firms in the Northeastern U.S., in terms of assets under management.

10 predictions for financial advice in 2019

Deloitte expects these 10 changes will hit the financial advice business in 2019.

Midwestern magic? RIA assets soared nearly 30% there last year

Theories for what's driving the growth spurt abound, but it surpassed all other regions of the country.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print