On August 7, 2017, the U.S. Securities and Exchange Commission (“SEC”) published a risk alert directed to the financial advisory industry, identifying cybersecurity vulnerabilities that could make the industry’s networks porous to hackers. The SEC issued the report following its examination into the cybersecurity preparedness of 75 broker-dealers, investment advisors, and funds. The examination took place from September of 2015 through June of 2016.
The SEC’s August 2017 risk alert echoes a strong statement of warning from former SEC Chair Mary Jo White that the biggest threat currently facing the financial system is lack of cybersecurity. The risk alert identifies two measures that may reduce the likelihood of an attack and damage following an attack: regular security updates to prevent a system breach, and narrowly-tailored policies and comprehensive employee training to mitigate financial and reputational damage following a breach.
The alert further notes that, while many of the examined broker-dealers, investment advisors, and funds have already completed robust inventories of their cyber-risks and have procedures and policies in place in the event of a cyber-attack, the policies and procedures are misaligned with the level of risk, and are not sufficiently tailored to combat evolving cyber threats.
Additionally, the SEC’s report states that while most of the organizations examined conduct routine risk assessments to identify vulnerabilities, these same firms often fall short in adhering to their own policies. For example, the alert identified that a substantial number of companies have not yet implemented the necessary security patch updates to protect against hacking, and that many of the company policies are written in broad terms and provide insufficient guidance to employees on how to manage crises in the event that hackers breach an organization’s systems and leak sensitive financial information.
The SEC’s alert challenges financial organizations to go beyond general awareness of the existing cyber threats, and to mitigate the likelihood of a cyberattack by tailoring policies to fit the specific operations of the organization. Additionally, the SEC recommends specific and narrowly-tailored employee training to ensure that personnel has the necessary background to execute the cybersecurity policies in crisis conditions to protect the organization and its sensitive data.