Financial regulators are increasingly zoning in on brokerages' vulnerability to computer hackers, a focus likely to hit smaller financial services firms especially hard as they try to convince examiners that their safeguards are up to snuff.
At least 88 percent of securities brokerages and 74 percent of investment advisory firms have been targets of cyberattacks, the U.S. Securities and Exchange Commission (SEC) said in a Feb 3 report.
The SEC and Financial Industry Regulatory Authority (FINRA) have made checking up on firms’ cybersecurity practices a priority for their examiners this year.
Even the largest firms, with armies of technology professionals at their disposal, can struggle to answer examiners' queries about cyber-preparedness. The task is an even bigger challenge at smaller firms, where preparations fall to a handful of individuals, and sometimes one.
How much work is involved? "That’s where your soul breaks," said David Edwards, president of Heron Financial Group, LLC, an investment advisory firm in New York that manages $171 million in assets.
Edwards launched a major cybersecurity upgrade at his seven-person firm last year, after receiving a spate of fake messages from clients’ hacked personal email accounts asking for money transfers. Edwards is wrapping up the six-month-long project, which consumed roughly one day of his time each week, he said.
Firms which cannot afford to employ round-the-clock technology departments are facing mounting responsibilities as hackers become more aggressive and regulators ramp up their scrutiny of precautions firms are taking against such threats.
Fortunately, guidance is plentiful. A FINRA cybersecurity report published last week, for example, can serve as a starting point for firms that are struggling with the basics, said Joseph Rivela, chief strategist for Breach Intelligence LLC, a Farmington, Connecticut information security firm.
The 46-page report is a detailed primer on cybersecurity best practices, such as conducting periodic reviews to look for potential threats and developing policies that may restrict certain employees from some kinds of programs.
Developing new policies can be a long-term task. But firms can take some immediate steps to protect data while working toward the larger goal, Rivela said. For example, an inventory of technology devices can unearth laptops and servers that the firm no longer needs. Unplugging those devices cuts off pathways that hackers can use to access data, Rivela said.
Other short-term steps can include prohibiting employees from sharing passwords, a common practice at small firms, said Emily Gordy, a lawyer in Potomac, Maryland who advises firms on regulatory issues. Firms should also have procedures for cutting off computer privileges for employees who leave, Gordy said.
Still, there are many precautions that small firms cannot take on alone. Many are turning to secure cloud-based services, from companies such as Abacus Group LLC in New York and International Business Machines Corp to manage their back office and business systems, Rivela said.
Heron's Edwards, who worked in the technology field before becoming an advisor, has also hired outside companies to help with antivirus software, technology upgrades, and testing his systems for vulnerabilities. “You can’t possibly have this kind of expertise in house unless you’re JP Morgan,” he said.