SEC exams director warns advisers to strengthen cyber defenses

Online attacks aimed at the financial system are a top concern for regulators, and small advisory firms aren’t immune to the trend, an SEC official warned Wednesday.

“Cybersecurity threats are going to continue to be a persistent and increasing menace, not only to investors but to financial institutions and the very fabric of our markets,” Richard Best, director of the SEC’s examinations division, said at the ComplyConnect conference in Austin, Texas. “The past 12 to 24 months have been just an incredibly active period.”

Cyber criminals are as intent on attacking a small advisory firm or brokerage as they are to breach the walls of large firms.

“Organizations of all sizes are at risk and need to harden their systems and have a plan to remediate any infiltrations and return to a normal operating posture,” Best said. “The days of security through obscurity are over. Just because you’re not a large multinational doesn’t mean you’re not a target.”

The Securities and Exchange Commission proposed a cybersecurity rule for investment advisers earlier this year. Many advisers and organizations representing them have criticized the measure for imposing a 48-hour reporting period for cyberattacks, a turnaround time they say would be difficult to meet.

Best didn’t mention the proposal, but he did outline some of the cyber deficiencies the agency has seen in examinations over the years. They include lacking cybersecurity policies and procedures or not following them, allowing too many exceptions to multifactor authentication, and failing to train staff. Another problem was a lack of engagement with cybersecurity among top firm officials.

“The risks that we see in this area are myriad,” Best said. “We see that [across] all of our registrant population. There is increasing interconnectedness in this area, which makes attention to these risks ever more important.”

Beyond addressing internal cybersecurity policies and procedures, advisers also should assess the vulnerabilities of their vendors and consider the possibility of breaches related to weather disasters and remote work.  

Anticipating and preparing for a cyber incident like a ransomware attack is better than cleaning up afterward, Best said.

“The time to consider a ransomware attack is not when you become a victim of one,” he said.

The audience was primarily made up of compliance professionals. During a moderated Q&A session, Best was asked when the SEC will resume in-person examinations after suspending them for the most part during the pandemic.

He pointed out that the conference, which was sponsored by compliance consulting firm Comply, was occurring in person. Americans also are once again attending concerts and sports events, he said.

“You shouldn’t be surprised if you get a call and the examiners say they want to come on site, because it’s not 2020 anymore. It’s 2022,” Best said. “It doesn’t mean that there’s anything wrong. It just means that, like the rest of the country, we’re transitioning back.”

But a hybrid approach is likely to continue, with the agency conducting some work remotely, he said.