Cyber-attacks pose an increasing risk for companies all of types around the world. The recent WannaCry attack affected multiple industries in more than 100 countries and caused major disruption. The attack caused enough alarm to prompt the SEC’s Office of Compliance Inspections and Examinations (OCIE) to send out a national cybersecurity risk alert.
The financial services industry is especially susceptible to cyber-attacks like WannaCry, due to the large amount of internal and client financial data that’s regularly accessed. But the hard truth is that today’s investment management firms aren’t doing enough to protect themselves and their clients.
WannaCry was a ransomware attack, which means many organizations’ data was held hostage. For investment firms, ransomware spells trouble for a number of reasons and particularly affects business continuity. In addition to data, many ransomware attacks also prevent the system that has been infected from being functional.
Given their fiduciary duty to their clients (including protecting their clients from risk as a result of the advisers’ inability to provide advisory services), firms need to frequently review and update their cybersecurity program and initiatives to ensure they meet data and IT compliance obligations and adhere to federal securities laws.
Industry Cybersecurity Performance
After reviewing 75 SEC-registered broker-dealers, investment advisers, and investment companies to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness, the OCIE found that investment management firms had significant vulnerabilities in two key areas:
Cyber risk assessment: 26% of investment management firms did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and potential business consequences.
Penetration tests: 57% of investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms deemed critical.
Additionally, the SEC noted that 4% of investment management firms had a significant number of critical and high-risk security patches that needed to be updated.
The OCIE review noted that broker-dealers are more prepared than investment firms — which is likely due to regular efforts by Financial Industry Regulatory Advisors (FINRA) — but they too still have ample room for improvement.
SEC Cybersecurity Guidance
There are several proactive and protective steps firms can take. The SEC identifies three main focus areas:
1. Conduct security assessments to identify potential threats and vulnerabilities to better prioritize and mitigate risk. Consider:
- Type, sensitivity, and location of data the firm deals with and what technology is being used along with technical security measures in place
- Internal and external cybersecurity threats and vulnerabilities of systems
- Current security controls and processes impact if system is compromised
- Effectiveness of governance structure for cybersecurity management
2. Create cybersecurity strategy with routine testing to prevent, detect, and respond to threats. Include:
- Access management such as credentialing, authentication, firewalls, perimeter defenses, and systems hardening
- Data encryption
- Loss protection for sensitive data using removable storage media and monitoring software
- Data backup and retrieval
- Development of incident response plan
Monitoring mechanisms can include information gathering from outside resources, such as vendors and third-party contractors specializing in cybersecurity and participating in the Financial Services—Information Sharing and Analysis Center.
3. Implement the cybersecurity strategy through:
- Written policy and procedures
- Training and guidance about threats and how to prevent, detect, and respond to them
- Investor and client education on how they can reduce their risks
The measures suggested above aren’t intended to be all-inclusive and other actions may be needed in some cases. Firms should also regularly review their data and IT security compliance programs and consider addressing the protection of commercial or market-sensitive information (disclosure of which could negatively affect client interests).
There’s no crystal ball predicting when the next cyberattack will occur or what it might look like. While prevention is never guaranteed, backing up data and investing in cybersecurity preparedness will help investment firms recover more rapidly if there is a breech, mitigate the impact, and remain compliant.