What could be worse than hackers exposing users of the infidelity website AshleyMadison.com? Imagine hackers with access to 4.6 million brokerage accounts.
In October, discount broker-dealer Scottrade announced hackers exposed personal information of 4.6 million customers during a February 2014 breach.
Now that hackers seem to be shifting their focus from retailers like Target and Home Depot to financial firms, regulators and advisors are scrambling to keep up — especially smaller RIAs.
“It’s definitely smaller advisors who are feeling the most pressure because it is very costly for them to comply,” says Sam Attias, managing director at New York-based External IT, a financial services information technology outsourcing firm. “It’s hard for them to run a business and be in compliance with all of these rules; it requires a lot of people’s time.”
The Scottrade announcement comes amidst an SEC campaign to address cybersecurity. Throughout 2015, the commission has scrutinized how advisors are shielding clients from hackers.
“In the past, the SEC was more focused on preventing fraud because that’s where the headlines were,” Attias says. “The pendulum has shifted all the way to the extreme of protecting clients’ data, because there’s so much cyberterrorism going on.”
In September, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced guidance on advisors’ cybersecurity policies, identifying six areas of focus for an upcoming round of compliance examinations: governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.
“Cybersecurity is clearly a concern that the entire business community shares, but it represents an especially malicious threat to smaller businesses,” said SEC commissioner Luis Aguilar in a statement. “The reason is simple: Small and midsize businesses are not just targets of cybercrime, they are its principal target. In fact, the majority of all targeted cyber-attacks last year were directed at small and midsize businesses. The most predominant reason for this is also the most obvious: Smaller companies pose easier targets than larger organizations, and must protect against such threats with far fewer resources.”
Just after the risk alert was issued, the SEC levied a $75,000 fine on St. Louis RIA R.T. Jones Capital Equities Management for failure to compose and update cybersecurity policies ahead of a 2013 hack.
“At this point, investment advisors, and probably broker-dealers, may be facing strict liability if they become the victim of a breach,” said Brian Rubin, partner in Washington-based securities law firm Sutherland Asbill & Brennan, in written comments after the SEC’s announcement. “It appears that the SEC may find that a firm’s procedures were unreasonable based on the simple fact that a breach occurred.“
R.T. Jones is the first RIA to be sanctioned by the SEC in a cybersecurity case.
The cybersecurity focus began in the wake of Hurricane Sandy, when the SEC became concerned about the potential for data loss during widespread or long-term interruptions to power and network connectivity.