Brokers are doing a better job than investment advisers when it comes to cybersecurity, a Securities and Exchange Commission examination sweep shows.
The agency, which released the results of its survey of 106 financial advice firms Tuesday, said most brokers and advisers have experienced some kind of data breach. Most breaches involve malware and fraudulent email.
The majority of financial advisers have written policies to protect data and periodically assess their ability to defend against cyberattacks, according to the SEC.
Also on Tuesday, Finra released the findings of its own examination sweep. The document outlines the best practices that Finra, the industry-funded broker-dealer regulator, culled from its review of a cross-section of member firms.
The SEC exams showed most investment advisers and brokers inventory and map their technology systems, software and devices, and almost all of them use encryption.
Investment advisers and brokers vary in other aspects of cybersecurity.
Although most advisers and brokers have written cybersecurity policies, more brokers than advisers — 89% to 57% — audit them to determine the firm's compliance.
Other differences: 71% of brokers put cybersecurity requirements in their contracts with vendors and business partners, while only 24% of investment advisers do. Two-thirds of brokers have a chief information security officer, while only 30% of advisers have a similar official. Instead, advisers give cybersecurity assignments to chief technology officers or another staff member. More than half of brokers have cybersecurity insurance, compared to 21% of advisers.
Neither brokers nor advisers do a good job of making clients whole in the case of a cyberattack. Only 15% of brokers and 9% of advisers guarantee to protect them against “cyber-related losses.”
The SEC's Office of Compliance Inspections and Examinations put cybersecurity on its priority list again for 2015.
“Cybersecurity threats know no boundaries,” SEC Chairman Mary Jo White said in a statement. “That's why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyberthreats has been, and will continue to be, an important focus of the SEC.”
The Finra exam report came to a similar conclusion. It said firms should establish policies, procedures and controls for addressing cyberthreats and responding to attacks, regularly assess risks at the firm and with vendors, encrypt data and consider buying cyber insurance.
The most important step may be buy-in from the top of the firm.
“Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue,” the Finra report states. “What is required is rigorous attention to detail and execution.”
The report did not propose new Finra cybersecurity rules. It is meant as a guideline for firms to establish their own policies.
“Broker-dealers face a variety of rapidly evolving cybersecurity threats, which require a well-designed and adaptable cybersecurity program,” Susan Axelrod, Finra executive vice president for regulatory operations, said in a statement. “Finra is keenly focused on cybersecurity, and firms must make responding to these threats a high priority.”
Advisory firms need to inventory their technology and the data they house and determine what kind of security they need to implement, said David Katz, a partner at Nelson Mullins Riley Scarborough.
“They should start that process as soon as possible,” Mr. Katz said. “If they haven’t done that, they’re behind the curve and need to catch up quickly.”
Now that both regulators have released the results of their exam sweeps, enforcement action may be next, said Brian Rubin, a partner at Sutherland Asbill and Brennan.
“The main takeaway is that this issue is high on the agenda of both regulators,” Mr. Rubin said. “With breaches, it's not a matter of 'if' but 'when.' If firms experience a breach, even though they may be victims, regulators will likely look at their policies, procedures and practices to see if the firms should have stopped the breach from occurring.”