What could be worse than hackers exposing users of the infidelity website AshleyMadison.com? Imagine hackers with access to 4.6 million brokerage accounts.

In October, discount broker-dealer Scottrade announced hackers exposed personal information of 4.6 million customers during a February 2014 breach.

Now that hackers seem to be shifting their focus from retailers like Target and Home Depot to financial firms, regulators and advisors are scrambling to keep up — especially smaller RIAs.

“It’s definitely smaller advisors who are feeling the most pressure because it is very costly for them to comply,” says Sam Attias, managing director at New York-based External IT, a financial services information technology outsourcing firm. “It’s hard for them to run a business and be in compliance with all of these rules; it requires a lot of people’s time.”

The Scottrade announcement comes amidst an SEC campaign to address cybersecurity. Throughout 2015, the commission has scrutinized how advisors are shielding clients from hackers.

“In the past, the SEC was more focused on preventing fraud because that’s where the headlines were,” Attias says. “The pendulum has shifted all the way to the extreme of protecting clients’ data, because there’s so much cyberterrorism going on.”

In September, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced guidance on advisors’ cybersecurity policies, identifying six areas of focus for an upcoming round of compliance examinations: governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.

“Cybersecurity is clearly a concern that the entire business community shares, but it represents an especially malicious threat to smaller businesses,” said SEC commissioner Luis Aguilar in a statement. “The reason is simple: Small and midsize businesses are not just targets of cybercrime, they are its principal target. In fact, the majority of all targeted cyber-attacks last year were directed at small and midsize businesses. The most predominant reason for this is also the most obvious: Smaller companies pose easier targets than larger organizations, and must protect against such threats with far fewer resources.”

Just after the risk alert was issued, the SEC levied a $75,000 fine on St. Louis RIA R.T. Jones Capital Equities Management for failure to compose and update cybersecurity policies ahead of a 2013 hack.

“At this point, investment advisors, and probably broker-dealers, may be facing strict liability if they become the victim of a breach,” said Brian Rubin, partner in Washington-based securities law firm Sutherland Asbill & Brennan, in written comments after the SEC’s announcement. “It appears that the SEC may find that a firm’s procedures were unreasonable based on the simple fact that a breach occurred.“

R.T. Jones is the first RIA to be sanctioned by the SEC in a cybersecurity case.

The cybersecurity focus began in the wake of Hurricane Sandy, when the SEC became concerned about the potential for data loss during widespread or long-term interruptions to power and network connectivity.


“In April and in 2014, the SEC came out with these huge cybersecurity notices,” Attias says. “Everything was general, it was hard for firms to figure out what they needed to do. The SEC did a sweep of examinations this year and found very high failure rates in certain categories.”

An SEC survey of advisors from earlier this year found that only 57 percent of advisors regularly audit and update their cybersecurity policies and procedures, versus 89 percent for brokerages. The OCIE guidance says that firms should clearly designate responsibility for oversight of their cybersecurity programs.

“What R.T. Jones was fined for was not something that’s all that terrible,” says Attias. “They definitely weren’t in compliance, and they got hit for not having a policy in place. Companies need a plan in place, a record of their IT footprint, and a registry of all the devices out there that are used to access their data.”

Firms also have to control who can access and manipulate data within their system to prevent unauthorized access to individual’s private information. For advisors, this means that anyone not working directly with clients should be forbidden to access their personal records, and employees who leave the firm or are assigned to different clients must have their access rights revoked.

According to the SEC’s research, only 32 percent of advisors assess the data security of vendors who access their computer systems, an area of concern for the SEC because almost three-quarters of advisors targeted by hackers, including R.T. Jones, have had data breaches take place directly or indirectly through their vendors’ networks or facilities. The SEC guidance says networks should be protected both physically and digitally.

“Advisors will want to have the highest level of security,” Attias says. “That means, of course, that they need to have anti-virus software. They need to have their data encrypted. That also drills down to the security of the facility that houses the network.”

Advisors also have to provide regular training in information security and risks for employees and vendors.

While it might seem that RIAs, who typically partner with a larger firm or a broker-dealer to hold client assets, have an additional level of protection against hackers, difficulties remain as companies try to sort out who is responsible for protecting which pieces of data.

The SEC’s research says advisors also lag brokers in drafting plans to mitigate the impact of data breaches, and in February, the Financial Industry Regulatory Authority (Finra) released a report for broker-dealers criticizing their poor state of readiness for a cyberattack, focusing more on the firms’ response and remediation procedures than their data protection and prevention measures.

A firm’s response to a breach — particularly the speed at which it stops the hack and notifies customers — has become another point of emphasis.

In the R.T. Jones case, the firm immediately hired a forensic examiner to investigate the breach and began notifying individuals whose information was exposed — which may have helped mitigate its SEC sanctions.

Attias says that the SEC’s cybersecurity requirements will continue to evolve, which is a boon to firms like External IT.

“I think the next step over the next few years is going to be an audit trail so you can see who has been accessing what over time,” Attias says. “For us, this is a positive. At this point IT and security have become synonymous, everything from an IT perspective has to be secured and controlled. Since most of these guidelines are already IT-related, it’s good for us because it crystalizes the need for advisors to have a partner with their firms to take care of their IT needs in a secure, complaint manner.”