Security

11:45 AM
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

SEC Eyes Cyber-Security Planning

In addition to regular audits, the SEC will start to scrutinize the cyber-security preparedness of market participants.

Who’s minding the store?
Determining who is responsible for the cyber-security role within a firm’s workforce is another concern of the regulator. Some large firms may have a chief information security officer or equivalent position. "You don’t have to hire someone additionally. There needs to be a person identified that is the key escalation person or responsible [party] for the risk assessment," says Mary Beth Hamilton, VP of Eze Castle Integration.

While larger firms may have a chief information security officer, or CISO, in smaller hedge funds, the responsibility often falls to the compliance officer.

  "The truth is that a lot of smaller firms don’t do risk assessments."    – Steve Schoener, Eze Castle Integration

"On the technology side, it’s definitely a size of shop, size of complexity issue," says Noland Cheng, managing partner of C&A Consulting, which specializes in technology, operational risk, finance, and operations. "Even some of the larger organizations with $20 to $30 billion-plus under management, I don’t know if they have a chief information security officer," says Cheng, who notes that’s more common with large banks and brokerage firms.

In large investment management firms, the top of the pyramid is the CTO and the second person on the tech side is the manager of infrastructure, who takes care of the network, mobile devices, and the firewall, he says.

A more formalized information security plan is needed because hackers, organized criminals, and nation-states are continually trying to infiltrate networks, inject malware, and steal data. "There’s a lot of bad people out there trying to figure out how to break into firms, and bad things can happen. The SEC is sending a signal to firms to make sure you have coverage," Cheng says.

On that front, the SEC also wants firms to disclose if they’ve had previous security incidents or attacks. But will firms answer truthfully since that could scare customers and damage their reputation?

"Everyone has had some type of malware or virus show up on some type of computer at some point," says Schoener. "It’s not necessarily the biggest deal," he says. On the other hand, if a list of investors’ names, addresses, and Social Security numbers is taken, you probably have an obligation to report that to someone, says Schoener. As part of the written policy, firms will identify key stakeholders that need to be notified in case of a security incident and at what escalation point they need to notify a regulator, notes Hamilton.

But even if financial firms have these policies and controls in place, certain practices expose them to risk. "Studies show that basic desktop software like Adobe Flash, PowerPoint, and Word present the most risk," says Naraine of Kaspersky Lab. If brokers have computer systems minding very sensitive data, they should never use Adobe Flash or Java or Facebook, or do any sort of web browsing on the same machine, he says. It may take four to six weeks to apply a patch to what is a critical vulnerability, he adds.

Since brokers use proprietary software systems, the type of sophisticated software attacks are generally never seen, Naraine points out. "That’s the scariest thing, that attacks are happening and no one knows," he says. "[The attacks] are also capable of stealing all your spreadsheets and all your customer data."

But firms are using technology to fight data breaches. In the case of mobile devices, firms that have a bring-your-own-device policy now insist they have control over the part of the phone that is accessing the firm’s voice and email systems through mobile device management applications, says Cheng. "If someone loses the phone, someone can push a button and wipe the phone clean," he says. "It’s not just writing a policy; the writing translates into technology enablement."

Looking ahead, some experts suggest that the SEC’s new cyber-security guidelines could evolve into a new compliance regulation for securities and investment firms. Right now, they’re testing the waters to see if firms have proper control in place.

Ivy is Editor-at-Large for Advanced Trading and Wall Street & Technology. Ivy is responsible for writing in-depth feature articles, daily blogs and news articles with a focus on automated trading in the capital markets. As an industry expert, Ivy has reported on a myriad ... View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DarylJJ
50%
50%
DarylJJ,
User Rank: Apprentice
7/17/2015 | 12:45:04 PM
Re: The stakes are too high for cyber security to be pushed to the bottom of the pile.
While DDoS is a concern, it is important to note that the intended outcome of performing the attack is in the name: DDoS = Distributed Denial of Service. Denial of service is not the same as a data breach in which sensitive data is stolen, it is simply an attack aimed at preventing you or anyone else from using your network. This can be disruptive and annoying to businesses, but does not merit anywhere near the concern an actual data breach does.

Furthermore, DoS attacks (note the single "D") are significantly up because there are tools available for free download that can perform this attack from a single laptop. I am not surprised that BT reported so many attacks. The number is probably much higher, but modern firewalls have gotten very good at defending these attacks and many companies don't even know they were hit. Often, the only way to know is by reviewing your firewall logs!

As far as Broker/Dealer data security, FINRA is already on this (seriously, it's the BANKING industry, there's no way they wouldn't have addressed this somewhere!) and I hope the SEC works in concert with them in the development of their data security standards.

Daryl Jackson, Senior Security Analyst, RSI Security
Luke Beeson
50%
50%
Luke Beeson,
User Rank: Apprentice
7/31/2014 | 11:51:15 AM
Re: Most alarming
It think this just emphasises the need for the financial sector and security industry to continue efforts to share intelligence and best practice.  Our adversaries will be doing this, so we simply can't afford to sit in our commercial silos and not share what we are seeing to help us all defend against what could potentially end up being an attack on a nation or sectors critical infrastructure.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
7/29/2014 | 10:10:30 AM
Re: The stakes are too high for cyber security to be pushed to the bottom of the pile.
If DDoS atacks are a daily occurrence for all financial institutions, then 45% is a low figure. With monitoring technology, firms can detect unusual activity bombarding their servers or networks with high message volumes. Interestingly in electronic trading, high frequency trading firms and bombard exchanges with high message rates as a normal part of their style, but this can be distinguished from DDoS, I assume.  In any case, DDoS is evidently an ongoing part of the hacker's arsenal along with other more sophisticated methods.
Byurcan
50%
50%
Byurcan,
User Rank: Author
7/29/2014 | 9:36:59 AM
Re: The stakes are too high for cyber security to be pushed to the bottom of the pile.
At an Ernst & Young cyber security conference I went to a few years ago, they said virtually all financial institutions are hit with attacks on a  daily basis.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
7/28/2014 | 4:29:06 PM
Re: The stakes are too high for cyber security to be pushed to the bottom of the pile.
Luke,  If 45% of IT respondents globally are admitting that financial institutions have been hit by denial of service (DDoS) attacks, the figure could be higher. It clearly demonstrates that cybersecurity should not be relegated to the bottom of the pile on a CEO's desk. It should be a top priority. With two thirds of the IT respondents saying that DDoS attacks are becoming more effecitve, this is even more of a concern.

I would be curious if the companies you surveyed tend to have chief information security officers (CISOs)? Does this role correlate to lower incidents of such attacks?
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
7/28/2014 | 3:19:24 PM
Re: Most alarming
Yes, a multi-pronged approach is needed. Hopefully, the industry can move fast enough and get up to speed to counter these growing and changing threats. After all, an attack that disrupts the markets will do little to help investor's confidence in the industry (confidence that is already shaky for other reasons).
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
7/28/2014 | 2:31:39 PM
Re: Most alarming
I agree. Any cybersecurity breach is serious since most brokers are networked to exchanges, ATSs, clearing firms and depositories, so malevolent code can travel. Regulators are looking at creating policies that can be implemented industry wide. While the SEC is addressing hedge funds and registered investment advisers with this particular cybersecurity risk alert, Reg SCI is also addressing security of the financial infrastructure. I think this will be a multi-pronged approach to safeguard the industry.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
7/25/2014 | 7:26:23 AM
Most alarming
One of the reasons why regulators are looking closely at the security at financial firms is because they are worried about more than a simple breach at one bank. A breach at one firm is bad, but if that breach can cascade across interconnected electronic financial networks, it could cause massive damage. As the SEC's Aguilar said, the SEC is worried that the infrastructure of the capital markets might be harmed...which could result in market chaos, a market crash, and investors losing billions.
Luke Beeson
50%
50%
Luke Beeson,
User Rank: Apprentice
7/24/2014 | 8:55:33 AM
The stakes are too high for cyber security to be pushed to the bottom of the pile.
Cyber security has to be a priority for financial institutions. As the threat landscape continues to evolve, CEOs and board level executives need to invest in cyber security and educate their people in the IT department and beyond. The stakes are too high for cyber security to be pushed to the bottom of the pile.

BT actually published research just last month looking at the cyber threat landscape for Denial of Service attacks (DDoS) on financial services institutions. Among the findings was the surprising stat that almost half (45 per cent) of IT decision makers in financial services institutions (globally) admit their organisation was hit by DDoS attacks over the past year.

Similarly, two-thirds said that DDoS attacks are becoming more effective at breaching security defences – and only a quarter (27%) are fully convinced that their organisation allocates sufficient resource to defending against it.

Ivy, I would be happy to discuss this with you if it's a subject you are writing on again.

Luke Beeson, Vice President, Security UK and global banking & financial markets, BT
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video