Cybersecurity efforts still falling short at financial services firms

Report cites policy, accountability and disaster recovery as three areas of weakness

Nov 3, 2015 @ 2:43 pm

By Laura Sanicola

Financial firms — including financial advisers — are still coming up short in managing their cybersecurity efforts, according to External IT, which provides unified cloud computing to the financial services industry.

In a report titled "Financial Services Firms Face Further Scrutiny of Their Cybersecurity Practices: Is Your Firm Ready?” External IT examined structural deficiencies in how financial firms manage their cybersecurity efforts.

“Security, compliance and IT are one topic and they are interchangeable and a financial business needs to be structured that way,” said Sam Attias, managing director of financial services at External IT.

According to the report, financial cybersecurity is lacking in three key areas:

Security policy — firms fail to be proactive in their auditing of IT and IT security.

Accountability when moving company data — a firm's employees are often able to move company data to personal and home devices without accountability or tracking measures in place.

Disaster recovery — firms lack business continuity plans in place in case of emergency.

The report also found that financial firms don't properly vet third-party vendors before taking them on or use ones with inadequate technology. It recommends that firms record the software and data that vendors can access, even vendors hired to mitigate cybersecurity risks.

Brian Edelman, chief executive of Financial Computer Services, a company that works primarily in cybersecurity, said advisers often don't follow these measures because they are in the dark about where to go to get their information.

“It's not that advisers are neglecting cybersecurity measures intentionally,” Mr. Attias said, citing a lack of education and understanding as one of the biggest problems advisers face regarding cybersecurity. He recommended that advisers receive security awareness training, but emphasized that they do not need to become IT experts in order to manage their cybersecurity within their firms.

"The whole idea behind risk assessment is to verify independent third party that the firm is complying with the requirements that have been defined for them,” Mr. Edelman said. “It's a major problem when a financial adviser is not using a cybersecurity firm that understands financial services because he ends up being out of compliance as a result.”

The External IT whitepaper follows a September Securities and Exchange Commission Risk Alert on cybersecurity in which the agency's Office of Compliance Inspections and Examinations said it planned a new round of examinations to gather information on cybersecurity-related controls and assess implementation of certain firm controls. OCIE will focus on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.

A week after the risk alert was issued, the SEC fined an adviser at St. Louis-based R.T. Jones $75,000 for a breach that compromised the personally identifiable information of approximately 100,000 individuals, including thousands of the firm's clients.

Prior to the September alert, the SEC and the Financial Industry Regulatory Authority Inc. had been monitoring the compliance of financial firms with cybersecurity standards.


What do you think?

View comments

Most watched


How the 2020 elections could impact ESG investing

Joseph Keefe, president of Impax Asset Management, on the elections and how advisers can build a bridge to the next generation of clients with ESG investing.


How advisers can be a gamechanger for women investors

Why women defer to men when it comes to finances and how advisers can combat this phenomenon and make a difference for female investors, according to Heather Ettinger, founder and CEO Luma Wealth Advisors.

Latest news & opinion

Schorsch, AR Capital to pay $60 million to settle SEC charges

The former REIT czar and his firm wrongfully obtained millions linked to REIT mergers.

CFP Board postpones enforcement of its revised fiduciary standard

Board's new Code of Ethics and Standards to be enforced next June, in line with the SEC's Reg BI

Charles Schwab reportedly in talks to buy USAA brokerage, wealth management business

The deal would net Schwab roughly $100 billion in new assets.

Advisers scramble to help retirees navigate looming Fed rate cut

The Fed's first interest-rate cut in a decade has advisers warning against chasing the bait of risk over safety.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting It'll help us continue to serve you.

Yes, show me how to whitelist

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print