Sapsiwai - Fotolia
The Office of Compliance Inspections and Examinations at the U.S. Securities and Exchange Commission (SEC) issued a report that showed the majority of security brokers/dealers and investment advisers have experienced cyberattacks either directly or through a vendor. Our firm manages security for a number of midsize investment advisers. What were the key findings from the SEC financial security report, and are there any security compliance guidelines you'd recommend to avoid such attacks?
In April 2014, the SEC announced a Cybersecurity Examination Initiative designed to evaluate the state of cybersecurity programs in the financial industry. During the course of the program, SEC auditors examined the security controls at 106 institutions across a wide range of cybersecurity categories. These included risk assessment, governance, network security, remote access security, vendor access and detecting unauthorized computer activity.
Ten months later, in February 2015, the SEC released a report detailing the results of its assessment program. The report didn't provide detailed results for any particular audit subject but it did highlight the common trends. Shockingly, over three-quarters of audited firms reported they were the subject of a cybersecurity incident. Only one firm reported a loss in excess of $75,000.
The SEC financial security report results revealed that most SEC-regulated firms have strong governance practices, including written information security policies, periodic risk assessments and the use of encryption. However, firms should tighten their control on third-party vendors and participate in cybersecurity threat information sharing networks.
Only one-third of financial advisors in the audit sample require security assessments for vendors remotely accessing firm networks. This represents a significant risk, as third-party vendors may have access to sensitive information and systems. SEC-regulated firms should take immediate steps to inventory the vendors with remote network access and require periodic risk assessments of those vendors.
Most firms in the study do not participate in information sharing networks designed to pool cybersecurity threat information among financial firms. Participating in these consortia may provide firms with advance warning of the threats they face in cyberspace and reduce the likelihood they will fall victim to a cybersecurity breach. Financial services firms may wish to join the federally-sponsored Financial Services Information Sharing and Analysis Center.
While the SEC examination program only touched a small fraction of the broker-dealers and advisors regulated by the SEC, the results of the audits provide good feedback to similar firms. Implementing the controls recommended by SEC examiners will help protect firms against future examinations and also reduce the likelihood of a significant security breach impacting their business and their customers.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Check out some best practices for third-party vendor management and learn about emerging cybersecurity information sharing initiatives.
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
Examine the important differences between stateful and stateless firewalls, and learn when each type of firewall should be used in an enterprise ... Continue Reading
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading