With the relentless threat of cyber criminals and hackers attacking financial services firms, the US Securities and Exchange Commission is intensifying its focus on information systems security at broker-dealers and investment advisers.
On April 15, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert notifying firms it will conduct IT security examinations of more than 50 registered broker-dealers and registered investment advisers.
The move is a sign that cyber security is not just an issue for retail banks or retail brokers that operate online, but is something that the SEC is worried about for financial institutions. December’s security breach at Target was yet another wake-up call that hackers can penetrate networks and steal customer data if companies do not remain vigilant. Just as retailers and banks can be hacked, the SEC is concerned that asset managers and brokers can be hacked as well, giving criminals access to fully electronic trading systems so they could potentially disrupt the markets.
At the SEC’s roundtable on cyber security in March, Chair Mary Jo White said the commission’s jurisdiction in cyber security is "focused on the integrity of market systems, customer data protection, and disclosure of material information." The SEC held the roundtable to discuss the cyber-security landscape and cyber-security issues faced by exchanges, other key market systems, broker-dealers, investment advisers, transfer agents, and public companies.
"Cyberattacks on financial institutions have become both more frequent and more sophisticated. This is also true of cyberattacks on the infrastructure underlying the capital markets," said SEC Commissioner Luis Aguilar, who participated in the roundtable. "Cyberattacks aimed at these market participants can have devastating effects on our economy, on individual consumers, and on the markets and investors that the SEC was created to safeguard."
Cyber-security road map
To shine a light on the steps taken by securities firms and investment advisers, the SEC has developed a cyber-security document that supplies compliance professionals with questions they can use to assess their firms’ state of readiness. Some of the questions track information outlined in the Framework for Improving Critical Infrastructure Cybersecurity, released on February 12 by the National Institute of Standards and Technology, noted the SEC’s OCIE.
For example, the SEC wants to know if physical devices and systems are inventoried, and the same for software platforms and applications. It asks if maps of network resources, connections, and data flows -- including places where customer data is housed -- are created and updated. It also wants to know if a firm catalogues connections to its network from external sources.
"As I understand it, the SEC initiative is basically to determine how prepared these firms are for cyber security. It’s the first time the SEC is doing it. It could be some sort of compliance requirement going forward," suggests Ryan Naraine, head of the global analysis and research team USA at Kaspersky Lab, a firm that focuses on technical research into attacks and security threats aimed at these organizations.
As part of the guidelines, firms are asked to create a written information security policy. This is designed to make sure they have the proper controls in place, Naraine says.
Another area the SEC is probing is whether firms conduct regular risk assessments to identify cyber-security threats or vulnerabilities that could have business consequences. "The truth is that a lot of smaller firms don’t do risk assessments. I do think that they will push them toward that," says Steve Schoener, VP of Eze Castle Integration, a provider of IT offerings and private cloud services to more than 650 alternative investment firms worldwide.
Eze Castle Integration is working with clients to create this written information security policy. ECI started a consulting practice in 2009, about a year before the state of Massachusetts passed a law requiring companies to protect the personal information of employees and investors residing in the state. Now the firm is broadening the service to guide hedge funds through SEC cyber-security planning.
While the SEC is not conducting specific cyber-security-focused examinations, firms need to keep the document internally and be ready to answer these questions during their routine audits, says Schoener.
In addition, the SEC is checking to see if firms have strict policies for information access to ensure that unauthorized employees can’t gain admission to systems. According to Schoener, firms have information protection policies on what parts of the network and files employees can read. "Could people do a bit better? Probably," he says.
Next Page: Who's Minding The Store?