Security

11:45 AM
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

SEC Eyes Cyber-Security Planning

In addition to regular audits, the SEC will start to scrutinize the cyber-security preparedness of market participants.

With the relentless threat of cyber criminals and hackers attacking financial services firms, the US Securities and Exchange Commission is intensifying its focus on information systems security at broker-dealers and investment advisers.

On April 15, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert notifying firms it will conduct IT security examinations of more than 50 registered broker-dealers and registered investment advisers.

The move is a sign that cyber security is not just an issue for retail banks or retail brokers that operate online, but is something that the SEC is worried about for financial institutions. December’s security breach at Target was yet another wake-up call that hackers can penetrate networks and steal customer data if companies do not remain vigilant. Just as retailers and banks can be hacked, the SEC is concerned that asset managers and brokers can be hacked as well, giving criminals access to fully electronic trading systems so they could potentially disrupt the markets.

At the SEC’s roundtable on cyber security in March, Chair Mary Jo White said the commission’s jurisdiction in cyber security is "focused on the integrity of market systems, customer data protection, and disclosure of material information." The SEC held the roundtable to discuss the cyber-security landscape and cyber-security issues faced by exchanges, other key market systems, broker-dealers, investment advisers, transfer agents, and public companies.

 
"Cyberattacks on financial institutions have become both more frequent and more sophisticated. This is also true of cyberattacks on the infrastructure underlying the capital markets." – Luis Aguilar, SEC

"Cyberattacks on financial institutions have become both more frequent and more sophisticated. This is also true of cyberattacks on the infrastructure underlying the capital markets," said SEC Commissioner Luis Aguilar, who participated in the roundtable. "Cyberattacks aimed at these market participants can have devastating effects on our economy, on individual consumers, and on the markets and investors that the SEC was created to safeguard."

Cyber-security road map
To shine a light on the steps taken by securities firms and investment advisers, the SEC has developed a cyber-security document that supplies compliance professionals with questions they can use to assess their firms’ state of readiness. Some of the questions track information outlined in the Framework for Improving Critical Infrastructure Cybersecurity, released on February 12 by the National Institute of Standards and Technology, noted the SEC’s OCIE.

For example, the SEC wants to know if physical devices and systems are inventoried, and the same for software platforms and applications. It asks if maps of network resources, connections, and data flows -- including places where customer data is housed -- are created and updated. It also wants to know if a firm catalogues connections to its network from external sources.

"As I understand it, the SEC initiative is basically to determine how prepared these firms are for cyber security. It’s the first time the SEC is doing it. It could be some sort of compliance requirement going forward," suggests Ryan Naraine, head of the global analysis and research team USA at Kaspersky Lab, a firm that focuses on technical research into attacks and security threats aimed at these organizations.

As part of the guidelines, firms are asked to create a written information security policy. This is designed to make sure they have the proper controls in place, Naraine says.

Another area the SEC is probing is whether firms conduct regular risk assessments to identify cyber-security threats or vulnerabilities that could have business consequences. "The truth is that a lot of smaller firms don’t do risk assessments. I do think that they will push them toward that," says Steve Schoener, VP of Eze Castle Integration, a provider of IT offerings and private cloud services to more than 650 alternative investment firms worldwide.

Eze Castle Integration is working with clients to create this written information security policy. ECI started a consulting practice in 2009, about a year before the state of Massachusetts passed a law requiring companies to protect the personal information of employees and investors residing in the state. Now the firm is broadening the service to guide hedge funds through SEC cyber-security planning.

While the SEC is not conducting specific cyber-security-focused examinations, firms need to keep the document internally and be ready to answer these questions during their routine audits, says Schoener.

In addition, the SEC is checking to see if firms have strict policies for information access to ensure that unauthorized employees can’t gain admission to systems. According to Schoener, firms have information protection policies on what parts of the network and files employees can read. "Could people do a bit better? Probably," he says.

Next Page: Who's Minding The Store?

Ivy is Editor-at-Large for Advanced Trading and Wall Street & Technology. Ivy is responsible for writing in-depth feature articles, daily blogs and news articles with a focus on automated trading in the capital markets. As an industry expert, Ivy has reported on a myriad ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Luke Beeson
50%
50%
Luke Beeson,
User Rank: Apprentice
7/31/2014 | 11:51:15 AM
Re: Most alarming
It think this just emphasises the need for the financial sector and security industry to continue efforts to share intelligence and best practice.  Our adversaries will be doing this, so we simply can't afford to sit in our commercial silos and not share what we are seeing to help us all defend against what could potentially end up being an attack on a nation or sectors critical infrastructure.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
7/29/2014 | 10:10:30 AM
Re: The stakes are too high for cyber security to be pushed to the bottom of the pile.
If DDoS atacks are a daily occurrence for all financial institutions, then 45% is a low figure. With monitoring technology, firms can detect unusual activity bombarding their servers or networks with high message volumes. Interestingly in electronic trading, high frequency trading firms and bombard exchanges with high message rates as a normal part of their style, but this can be distinguished from DDoS, I assume.  In any case, DDoS is evidently an ongoing part of the hacker's arsenal along with other more sophisticated methods.
Byurcan
50%
50%
Byurcan,
User Rank: Author
7/29/2014 | 9:36:59 AM
Re: The stakes are too high for cyber security to be pushed to the bottom of the pile.
At an Ernst & Young cyber security conference I went to a few years ago, they said virtually all financial institutions are hit with attacks on a  daily basis.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
7/28/2014 | 4:29:06 PM
Re: The stakes are too high for cyber security to be pushed to the bottom of the pile.
Luke,  If 45% of IT respondents globally are admitting that financial institutions have been hit by denial of service (DDoS) attacks, the figure could be higher. It clearly demonstrates that cybersecurity should not be relegated to the bottom of the pile on a CEO's desk. It should be a top priority. With two thirds of the IT respondents saying that DDoS attacks are becoming more effecitve, this is even more of a concern.

I would be curious if the companies you surveyed tend to have chief information security officers (CISOs)? Does this role correlate to lower incidents of such attacks?
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
7/28/2014 | 3:19:24 PM
Re: Most alarming
Yes, a multi-pronged approach is needed. Hopefully, the industry can move fast enough and get up to speed to counter these growing and changing threats. After all, an attack that disrupts the markets will do little to help investor's confidence in the industry (confidence that is already shaky for other reasons).
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
7/28/2014 | 2:31:39 PM
Re: Most alarming
I agree. Any cybersecurity breach is serious since most brokers are networked to exchanges, ATSs, clearing firms and depositories, so malevolent code can travel. Regulators are looking at creating policies that can be implemented industry wide. While the SEC is addressing hedge funds and registered investment advisers with this particular cybersecurity risk alert, Reg SCI is also addressing security of the financial infrastructure. I think this will be a multi-pronged approach to safeguard the industry.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
7/25/2014 | 7:26:23 AM
Most alarming
One of the reasons why regulators are looking closely at the security at financial firms is because they are worried about more than a simple breach at one bank. A breach at one firm is bad, but if that breach can cascade across interconnected electronic financial networks, it could cause massive damage. As the SEC's Aguilar said, the SEC is worried that the infrastructure of the capital markets might be harmed...which could result in market chaos, a market crash, and investors losing billions.
Luke Beeson
50%
50%
Luke Beeson,
User Rank: Apprentice
7/24/2014 | 8:55:33 AM
The stakes are too high for cyber security to be pushed to the bottom of the pile.
Cyber security has to be a priority for financial institutions. As the threat landscape continues to evolve, CEOs and board level executives need to invest in cyber security and educate their people in the IT department and beyond. The stakes are too high for cyber security to be pushed to the bottom of the pile.

BT actually published research just last month looking at the cyber threat landscape for Denial of Service attacks (DDoS) on financial services institutions. Among the findings was the surprising stat that almost half (45 per cent) of IT decision makers in financial services institutions (globally) admit their organisation was hit by DDoS attacks over the past year.

Similarly, two-thirds said that DDoS attacks are becoming more effective at breaching security defences – and only a quarter (27%) are fully convinced that their organisation allocates sufficient resource to defending against it.

Ivy, I would be happy to discuss this with you if it's a subject you are writing on again.

Luke Beeson, Vice President, Security UK and global banking & financial markets, BT
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - July 2014
In addition to regular audits, the SEC will start to scrutinize the cyber-security preparedness of market participants.
Video