Brokers do a better job at cybersecurity than investment advisers: SEC

Findings are in from exam sweeps by regulators

Feb 3, 2015 @ 2:16 pm

By Mark Schoeff Jr.

Brokers are doing a better job than investment advisers when it comes to cybersecurity, a Securities and Exchange Commission examination sweep shows.

The agency, which released the results of its survey of 106 financial advice firms Tuesday, said most brokers and advisers have experienced some kind of data breach. Most breaches involve malware and fraudulent email.

The majority of financial advisers have written policies to protect data and periodically assess their ability to defend against cyberattacks, according to the SEC.

Also on Tuesday, Finra released the findings of its own examination sweep. The document outlines the best practices that Finra, the industry-funded broker-dealer regulator, culled from its review of a cross-section of member firms.

The SEC exams showed most investment advisers and brokers inventory and map their technology systems, software and devices, and almost all of them use encryption.

Investment advisers and brokers vary in other aspects of cybersecurity.

Although most advisers and brokers have written cybersecurity policies, more brokers than advisers — 89% to 57% — audit them to determine the firm's compliance.

Other differences: 71% of brokers put cybersecurity requirements in their contracts with vendors and business partners, while only 24% of investment advisers do. Two-thirds of brokers have a chief information security officer, while only 30% of advisers have a similar official. Instead, advisers give cybersecurity assignments to chief technology officers or another staff member. More than half of brokers have cybersecurity insurance, compared to 21% of advisers.

Neither brokers nor advisers do a good job of making clients whole in the case of a cyberattack. Only 15% of brokers and 9% of advisers guarantee to protect them against “cyber-related losses.”

The SEC's Office of Compliance Inspections and Examinations put cybersecurity on its priority list again for 2015.

“Cybersecurity threats know no boundaries,” SEC Chairman Mary Jo White said in a statement. “That's why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyberthreats has been, and will continue to be, an important focus of the SEC.”

The Finra exam report came to a similar conclusion. It said firms should establish policies, procedures and controls for addressing cyberthreats and responding to attacks, regularly assess risks at the firm and with vendors, encrypt data and consider buying cyber insurance.

The most important step may be buy-in from the top of the firm.

“Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue,” the Finra report states. “What is required is rigorous attention to detail and execution.”

The report did not propose new Finra cybersecurity rules. It is meant as a guideline for firms to establish their own policies.

“Broker-dealers face a variety of rapidly evolving cybersecurity threats, which require a well-designed and adaptable cybersecurity program,” Susan Axelrod, Finra executive vice president for regulatory operations, said in a statement. “Finra is keenly focused on cybersecurity, and firms must make responding to these threats a high priority.”

Advisory firms need to inventory their technology and the data they house and determine what kind of security they need to implement, said David Katz, a partner at Nelson Mullins Riley Scarborough.

“They should start that process as soon as possible,” Mr. Katz said. “If they haven’t done that, they’re behind the curve and need to catch up quickly.”

Now that both regulators have released the results of their exam sweeps, enforcement action may be next, said Brian Rubin, a partner at Sutherland Asbill and Brennan.

“The main takeaway is that this issue is high on the agenda of both regulators,” Mr. Rubin said. “With breaches, it's not a matter of 'if' but 'when.' If firms experience a breach, even though they may be victims, regulators will likely look at their policies, procedures and practices to see if the firms should have stopped the breach from occurring.”

In addition to their exam reports, Finra and the SEC issued investor bulletins about cybersecurity. State regulators put out a similar advisory last week.


What do you think?

View comments

Upcoming event

Oct 22


San Francisco Women Adviser Summit

The InvestmentNews Women Adviser Summit, a one-day workshop now held in six cities due to popular demand, is uniquely designed for the sophisticated female adviser who wants to take her personal and professional self to the next level.... Learn more

Most watched


How advisers can be a gamechanger for women investors

Why women defer to men when it comes to finances and how advisers can combat this phenomenon and make a difference for female investors, according to Heather Ettinger, founder and CEO Luma Wealth Advisors.


MassMutual's LaPianna: Creating better conversations with your clients

What's the secret to building better client relationships? MassMutual's Paul LaPianna says it all begins with great conversations.

Latest news & opinion

Finra reaches settlements with 56 firms for overcharging customers on mutual funds

Regulator obtained $89 million in restitution as a result of the crackdown.

Schorsch, AR Capital to pay $60 million to settle SEC charges

The former REIT czar and his firm wrongfully obtained millions linked to REIT mergers.

CFP Board postpones enforcement of its revised fiduciary standard

Board's new Code of Ethics and Standards to be enforced next June, in line with the SEC's Reg BI

Charles Schwab reportedly in talks to buy USAA brokerage, wealth management business

The deal would net Schwab roughly $100 billion in new assets.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print