The U.S. Securities and Exchange Commission has issued publications that address cybersecurity at brokerage and advisory firms and provide suggestions to investors on ways to protect their online investment accounts.
“Cybersecurity threats know no boundaries. That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC,” said SEC chair Mary Jo White, in a statement.
One publication, a Risk Alert from the SEC’s Office of Compliance Inspections and Examinations (OCIE), contains observations based on examinations of more than 100 broker-dealers and investment advisers. The examinations focused on how firms identify cybersecurity risks, establish cybersecurity policies, procedures, and oversight processes, and protect their networks and information
The Financial Industry Regulatory Authority has issued its own report on cybersecurity, which details practices that firms can tailor to their business model as they strengthen their cybersecurity efforts.
The report draws in part from the results of FINRA's recent targeted examination ("sweep") of a cross-section of firms. The sweep, conducted in 2014, focused on the types of threats firms face, areas of vulnerabilities in their systems and firms' approaches to managing these threats.
According to Finra, broker-dealers identified the top three threats as hackers penetrating firm systems, insiders compromising firm or client data, and operational risks.
The ranking of threats varied by firm and by business model, Finra said. While online brokerage firms and retail brokerages are more likely to list hackers as their top-priority risk, firms that engage in algorithmic trading were more likely to consider insider risks potentially more damaging. Large investment banks or broker-dealers typically ranked risks from nation states or hacktivist groups more highly than other firms.
Grigoriy Milis, chief technology officer at Richard Fleischman & Associates, an outsourced technology provider to hedge funds, told Markets Media that internal threats are primarily about threats to the intellectual property.
“If the company has some kind of very valuable intellectual property then the internal threat would be more important to them than external,” Milis said.
Today, said Milis, external threats have become more dangerous because of the sophisticated attack vectors being employed.
“If you look a few years back, the external threat was about creating a business disruption. It was about creating some kind of chaos and mischief inside the company's network,” said Milis. “Today, however, the external threat is all about data extrusion. They will take whatever they can get their hands on. It's even worse because they also can potentially initiate fraudulent financial transactions.”
Featured image via bluebay2014/Dollar Photo Club