Sapsiwai - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What are the key takeaways from the SEC financial security report?

An SEC financial security report shows over three-quarters of financial institutions were subject to at least one cybersecurity attack. Expert Mike Chapple looks at common trends.

The Office of Compliance Inspections and Examinations at the U.S. Securities and Exchange Commission (SEC) issued a report that showed the majority of security brokers/dealers and investment advisers have experienced cyberattacks either directly or through a vendor. Our firm manages security for a number of midsize investment advisers. What were the key findings from the SEC financial security report, and are there any security compliance guidelines you'd recommend to avoid such attacks?

In April 2014, the SEC announced a Cybersecurity Examination Initiative designed to evaluate the state of cybersecurity programs in the financial industry. During the course of the program, SEC auditors examined the security controls at 106 institutions across a wide range of cybersecurity categories. These included risk assessment, governance, network security, remote access security, vendor access and detecting unauthorized computer activity.

Ten months later, in February 2015, the SEC released a report detailing the results of its assessment program. The report didn't provide detailed results for any particular audit subject but it did highlight the common trends. Shockingly, over three-quarters of audited firms reported they were the subject of a cybersecurity incident. Only one firm reported a loss in excess of $75,000.

The SEC financial security report results revealed that most SEC-regulated firms have strong governance practices, including written information security policies, periodic risk assessments and the use of encryption. However, firms should tighten their control on third-party vendors and participate in cybersecurity threat information sharing networks.

Only one-third of financial advisors in the audit sample require security assessments for vendors remotely accessing firm networks. This represents a significant risk, as third-party vendors may have access to sensitive information and systems. SEC-regulated firms should take immediate steps to inventory the vendors with remote network access and require periodic risk assessments of those vendors.

Most firms in the study do not participate in information sharing networks designed to pool cybersecurity threat information among financial firms. Participating in these consortia may provide firms with advance warning of the threats they face in cyberspace and reduce the likelihood they will fall victim to a cybersecurity breach. Financial services firms may wish to join the federally-sponsored Financial Services Information Sharing and Analysis Center.

While the SEC examination program only touched a small fraction of the broker-dealers and advisors regulated by the SEC, the results of the audits provide good feedback to similar firms. Implementing the controls recommended by SEC examiners will help protect firms against future examinations and also reduce the likelihood of a significant security breach impacting their business and their customers.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Check out some best practices for third-party vendor management and learn about emerging cybersecurity information sharing initiatives.

This was last published in August 2015

Dig Deeper on Security audit, compliance and standards