The Office of Compliance Inspections and Examinations at the U.S. Securities and Exchange Commission (SEC) issued...
a report that showed the majority of security brokers/dealers and investment advisers have experienced cyberattacks either directly or through a vendor. Our firm manages security for a number of midsize investment advisers. What were the key findings from the SEC financial security report, and are there any security compliance guidelines you'd recommend to avoid such attacks?
In April 2014, the SEC announced a Cybersecurity Examination Initiative designed to evaluate the state of cybersecurity programs in the financial industry. During the course of the program, SEC auditors examined the security controls at 106 institutions across a wide range of cybersecurity categories. These included risk assessment, governance, network security, remote access security, vendor access and detecting unauthorized computer activity.
Ten months later, in February 2015, the SEC released a report detailing the results of its assessment program. The report didn't provide detailed results for any particular audit subject but it did highlight the common trends. Shockingly, over three-quarters of audited firms reported they were the subject of a cybersecurity incident. Only one firm reported a loss in excess of $75,000.
The SEC financial security report results revealed that most SEC-regulated firms have strong governance practices, including written information security policies, periodic risk assessments and the use of encryption. However, firms should tighten their control on third-party vendors and participate in cybersecurity threat information sharing networks.
Only one-third of financial advisors in the audit sample require security assessments for vendors remotely accessing firm networks. This represents a significant risk, as third-party vendors may have access to sensitive information and systems. SEC-regulated firms should take immediate steps to inventory the vendors with remote network access and require periodic risk assessments of those vendors.
Most firms in the study do not participate in information sharing networks designed to pool cybersecurity threat information among financial firms. Participating in these consortia may provide firms with advance warning of the threats they face in cyberspace and reduce the likelihood they will fall victim to a cybersecurity breach. Financial services firms may wish to join the federally-sponsored Financial Services Information Sharing and Analysis Center.
While the SEC examination program only touched a small fraction of the broker-dealers and advisors regulated by the SEC, the results of the audits provide good feedback to similar firms. Implementing the controls recommended by SEC examiners will help protect firms against future examinations and also reduce the likelihood of a significant security breach impacting their business and their customers.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.