SEC risk alert calls on advisory industry to do more to shore up cybersecurity

Advisory firms given more details on how examiners want systems protected from hackers.
AUG 08, 2017

Financial advisory firms are getting more advice from federal regulators on steps they should be taking to protect their information systems from hackers. Advisory firms need to do a better job of following their stated cybersecurity policies and they should correct all the vulnerabilities that periodic tests reveal, according to results from a new round of cybersecurity examinations by staff at the Securities and Exchange Commission. Advisers also need to do a better job of keeping the firm's security patches up-to-date, the new SEC exam risk alert said. It contained findings from 75 cybersecurity exams of advisory firms, broker dealers and funds conducted from September 2015 through June 2016. "The staff observed that a few of the firms had a significant number of system patches, that according to the firms, included critical security updates that had not yet been installed," the staff of the Office of Compliance Inspections and Examinations wrote. The importance of timely installation of security patches was highlighted earlier this year when the "WannaCry" ransomware attack hit more than 200,000 computers in 150 countries, encrypting computers and demanding $300 to release each computer. The malware spread through a bug in an old Windows version that Microsoft had issued a "critical" patch to fix two months earlier. (More: Cyberattack should prompt advisers to ask their IT professionals hard questions) The attack in May was especially damaging because it had a mechanism to spread through the network, infecting other computers that hadn't been updated. The SEC issued an alert specific to the issue of ransomware soon after the massive hack. Another area where firms should improve is in maintaining response plans for addressing data breaches and letting clients know about material events. Less than two-thirds of advisers have these plans in place, the alert said. The SEC alert also said broker-dealers were not doing as good a job as advisers and funds at having formal procedures for verifying customers' identities when clients request electronic transfers. (More: Passwords to become passé as more firms back biometrics) Federal regulators generally have been less prescriptive than some states when it comes to giving financial services firms detailed requirements for protecting their systems from attacks. Colorado recently implemented new rules requiring annual assessments, use of secure email, including digital signatures and encryption, and New York also has set specific rules for financial institutions. "The SEC hasn't been very specific about what it wants firms to do on cybersecurity," said Justin Kapahi, vice president for solutions and security at External IT. "I think we'll see a lot more states follow Colorado's lead." In the new alert, the SEC said the firms with robust cybersecurity protections reviewed the effectiveness of their security solutions with penetration tests, tracked access rights of employees, had formal patch management policies, made training mandatory, and established data access controls for mobile devices that used passwords and software that encrypted communications, among other steps.

Latest News

Why fixed income still belongs in your clients' portfolios
Why fixed income still belongs in your clients' portfolios

In an era of AI euphoria and market FOMO, getting back to basics with fixed income may be the most contrarian and most important move advisors can make.

Voya expands advisor managed accounts to add private market assets
Voya expands advisor managed accounts to add private market assets

Voya Financial adds private equity, credit and real estate options to its AMA program, building on support for looser federal investment rules in retirement accounts.

With executives leaving, Osaic’s Reid now in the spotlight
With executives leaving, Osaic’s Reid now in the spotlight

Shannon Reid, president of Osaic and the network’s number two executive, has plenty of challenges, industry executives said.

Investors sue crypto fund and platform, alleging $1.5 million never returned
Investors sue crypto fund and platform, alleging $1.5 million never returned

Auditors flagged the commingling. The COO allegedly knew. Investors kept getting the pitch

Wells Fargo nabs $1.7B RBC advisor team, loses two teams to LPL
Wells Fargo nabs $1.7B RBC advisor team, loses two teams to LPL

The advisors on the move include two brothers leading a family practice in Connecticut, and a husband-and-wife tandem working with business owners in the West Coast.

SPONSORED Who builds the income when the pension disappears?

Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income

SPONSORED Why direct indexing stopped being optional

Direct indexing is on pace to outgrow ETFs and mutual funds. Northern Trust's Ken Lassner explains why the advisors who get it wish they had started sooner.