On Feb. 3, 2015, the Securities and Exchange Commission (SEC) published a Risk Alert summarizing observations gleaned from a cybersecurity examination sweep of 57 registered broker-dealers (BDs) and 49 registered investment advisers (IAs). The examination sweep followed an April 2014 announcement that the SEC’s Office of Compliance Inspections and Examinations (OCIE) 2014 Examination Priorities included a focus on technology, with a cybersecurity initiative (Cybersecurity Initiative) to identify areas where the SEC and the securities industry can work together to protect investors and capital markets from cyber threats. The Cybersecurity Initiative was designed to assess cybersecurity preparedness in the industry and obtain information about the industry’s recent experiences with certain types of cyber threats. In the examinations, OCIE collected and analyzed information from the selected BDs and IAs to assess their ability to generally identify, protect, detect, respond to, and recover from common cyber threats and vulnerabilities.
Our Legal Update highlights the key findings of the SEC’s 2014 Cybersecurity Initiative examination.
Cybersecurity Policies and Procedures are Strong
The vast majority of examined BDs (93 percent) and IAs (83 percent) have adopted written cybersecurity policies and procedures. Most of the BDs (89 percent) and the majority of the IAs (57 percent) conducted periodic audits to test compliance with their cybersecurity policies and procedures. Furthermore, 88 percent of the BDs’ and 53 percent of the IAs’ policies and procedures have incorporated leading cybersecurity risk management guidelines, such as the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (the NIST Framework) and recommendations published by the Federal Financial Institutions Examination Council (FFIEC). Consistent with the NIST Framework and FFIEC’s recommendations, almost all of the BDs (98 percent) and IAs (91 percent) examined by OCIE utilized some form of encryption as part of their baseline protections.
Cyber Attacks are Widespread; Cyber Insurance, Not So Much
A significant number of examined BDs (88 percent) and IAs (74 percent) indicated that they have experienced cyber attacks directly or through one or more of their third-party relationships. The majority of the cyber incidents reported by the BDs and IAs were related to malware and fraudulent emails. One-quarter (25 percent) of the BDs that suffered losses related to fraudulent emails stated that such losses were due to their own employees failing to adhere to their firms’ identity authorization processes. In addition, over half of the BDs (54 percent) and just under half of the advisers (43 percent) reported receiving fraudulent emails seeking to transfer client funds. Despite the significant number of cyber attacks and recent regulatory focus, it appears that the securities industry has not widely adopted cyber insurance. Just over half of the examined BDs maintained insurance for cybersecurity incidents (58 percent) and a smaller number of the IAs (21 percent) maintained insurance that covers losses and expenses attributable to cybersecurity incidents. Out of the BDs and IAs examined by OCIE, only one BD and one IA reported filing cyber insurance claims.
Sharing is Caring
Almost two-thirds of the BDs (65 percent) that received fraudulent emails reported the emails to the Financial Crimes Enforcement Network by filing Suspicious Activity Reports. Only a small number of those firms reported the fraudulent emails to law enforcement or other regulatory agencies (7 percent). Fewer than half of the BDs (47 percent) were members of industry groups, associations or organizations (both formal and informal) that exist for the purpose of sharing information on cyber attacks and notifying members of potential patches or updates to mitigate the risk of the cyber attacks. Not enough BDs and IAs participate in the Financial Services Information Sharing and Analysis Center or share information with other government agencies to assist financial institutions with identifying and responding to cyber attacks.
What’s Next?
The SEC’s focus on cybersecurity will continue in 2015 and beyond. To be sure, OCIE’s 2015 priorities include a continued focus on cybersecurity through risk-based examinations. Moreover, the examination results are instructive in trying to project the types of matters that may be of interest to the Division of Enforcement.
While it’s encouraging that most BDs and IAs have adopted written policies and procedures to mitigate the risks of cyber attacks and have incorporated the NIST Framework functions and FFIEC’s recommendations, it is clear that BDs and IAs need to do more to bolster their baseline protections against cyber attacks. This includes ongoing employee training, obtaining cyber risk insurance and routinely sharing information and collaborating with other securities industry firms. BDs and IAs should use the SEC’s Cybersecurity Initiative as an opportunity to conduct enterprise-wide risk assessments to identify threats and vulnerabilities and to improve processes to further implement cybersecurity controls consistent with the NIST Framework and FFIEC’s recommendations.
Please contact your regular McGuireWoods lawyer or one of the authors if you have any questions on the SEC’s Cybersecurity Initiative, OCIE examinations or SEC enforcement-related matters.
For more information, see the February 2015 SEC Risk Alert announcing the results of the SEC’s Cybersecurity Initiative examinations here, or the April 2014 SEC Risk Alert announcing OCIE’s 2014 Examination Priorities, including the SEC’s Cybersecurity Initiative here.