Financial firms — including financial advisers — are still coming up short in managing their cybersecurity efforts, according to External IT, which provides unified cloud computing to the financial services industry.
In a report titled "Financial Services Firms Face Further Scrutiny of Their Cybersecurity Practices: Is Your Firm Ready?” External IT examined structural deficiencies in how financial firms manage their cybersecurity efforts.
“Security, compliance and IT are one topic and they are interchangeable and a financial business needs to be structured that way,” said Sam Attias, managing director of financial services at External IT.
According to the report, financial cybersecurity is lacking in three key areas:
Security policy — firms fail to be proactive in their auditing of IT and IT security.
Accountability when moving company data — a firm's employees are often able to move company data to personal and home devices without accountability or tracking measures in place.
Disaster recovery — firms lack business continuity plans in place in case of emergency.
The report also found that financial firms don't properly vet third-party vendors before taking them on or use ones with inadequate technology. It recommends that firms record the software and data that vendors can access, even vendors hired to mitigate cybersecurity risks.
Brian Edelman, chief executive of Financial Computer Services, a company that works primarily in cybersecurity, said advisers often don't follow these measures because they are in the dark about where to go to get their information.
“It's not that advisers are neglecting cybersecurity measures intentionally,” Mr. Attias said, citing a lack of education and understanding as one of the biggest problems advisers face regarding cybersecurity. He recommended that advisers receive security awareness training, but emphasized that they do not need to become IT experts in order to manage their cybersecurity within their firms.
"The whole idea behind risk assessment is to verify independent third party that the firm is complying with the requirements that have been defined for them,” Mr. Edelman said. “It's a major problem when a financial adviser is not using a cybersecurity firm that understands financial services because he ends up being out of compliance as a result.”
The External IT whitepaper follows a September Securities and Exchange Commission Risk Alert on cybersecurity in which the agency's Office of Compliance Inspections and Examinations said it planned a new round of examinations to gather information on cybersecurity-related controls and assess implementation of certain firm controls. OCIE will focus on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.
A week after the risk alert was issued, the SEC fined an adviser at St. Louis-based R.T. Jones $75,000 for a breach that compromised the personally identifiable information of approximately 100,000 individuals, including thousands of the firm's clients.
Prior to the September alert, the SEC and the Financial Industry Regulatory Authority Inc. had been monitoring the compliance of financial firms with cybersecurity standards.