Last month, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published its findings on susceptibility to cyber-attacks, having investigated 57 registered broker-dealers and 49 investment advisors.  As both broker-dealers and investment advisors deal with extremely sensitive information pertaining to numerous people and companies, their abilities to fend off cyber-attacks is greatly important to the OCIE.

The investigation was performed in order to give the SEC an overall depiction of how registered firms recognize cyber-security threats, build cyber threat readiness into their overall policies and procedures, recognize and deal with cyber risks pertaining to vendors and other third parties, and find and react to cyber-security breaches.

The results of the investigation showed a large number of cyber security threats to the firms and numerous methods of preparing for and reacting to cyber-attacks.

1.  The OCIE found that 88% of broker-dealers and 74% of advisors noted having suffered cyber-attacks.  Unsurprisingly, most of these attacks pertained to malware and scam emails.  The details regarding the attacks and the outcomes varied greatly among those investigated.  Roughly half of the reported scam emails related to requests to transfer client funds.

2.  More than 25% of broker-dealers had losses of more than $5,000, but no one loss was greater than $75,000.  The OCIE found that many of these losses were at least partly the result of employees failing to follow the firm’s identity authentication practices.

As the OCIE predicted, a large proportion of investigated broker-dealers (93%) and advisors (83%) had previously implemented written cyber-security procedures.  Additionally, the majority of these broker-dealers and advisors perform audits on occasion to discover firm compliance with the procedures.

How well firm policies and procedures helped with cyber-security concerns varied greatly among firms.

  • 82% of policies for broker-dealers and 51% for advisors note lessening the impact of and/or recovery from a cyber-attack.
  • However, only 30% of broker-dealer policies and 13% of advisor policies talk about how to discover if they are responsible for client losses stemming from the attacks.
  • The OCIE found that 93% of broker-dealers and 79% of advisors complete occasional risk tests to recognize cyber-security threats, susceptibilities, and possible business ramifications.  Most even go so far as to mandate occasional cyber-security risk tests of vendors who have access to the firms’ networks.

Finally, the OCIE discovered that a substantial number of the investigated firms have been diligent in both educating themselves on cyber-attacks and threats and creating breach prevention and response procedures.

The OCIE’s results noted that despite the fact that it cannot yet assess the effectiveness of every firm’s cyber-security policies and procedures, it will continue evaluating the results of the investigation to ascertain correlations between the firms’ readiness and controls and their size, complexity, and other characteristics.  The OCIE further noted that it will continue to perform risk-based examinations focused on cyber-security.  Until the OCIE completes these tasks, the OCIE urges that companies should consider using the OCIE’s results as a guide when performing their own cyber-security self-assessments.

To learn more about Richard Frankowski, visit The Frankowski Firm.