“In April and in 2014, the SEC came out with these huge cybersecurity notices,” Attias says. “Everything was general, it was hard for firms to figure out what they needed to do. The SEC did a sweep of examinations this year and found very high failure rates in certain categories.”
An SEC survey of advisors from earlier this year found that only 57 percent of advisors regularly audit and update their cybersecurity policies and procedures, versus 89 percent for brokerages. The OCIE guidance says that firms should clearly designate responsibility for oversight of their cybersecurity programs.
“What R.T. Jones was fined for was not something that’s all that terrible,” says Attias. “They definitely weren’t in compliance, and they got hit for not having a policy in place. Companies need a plan in place, a record of their IT footprint, and a registry of all the devices out there that are used to access their data.”
Firms also have to control who can access and manipulate data within their system to prevent unauthorized access to individual’s private information. For advisors, this means that anyone not working directly with clients should be forbidden to access their personal records, and employees who leave the firm or are assigned to different clients must have their access rights revoked.
According to the SEC’s research, only 32 percent of advisors assess the data security of vendors who access their computer systems, an area of concern for the SEC because almost three-quarters of advisors targeted by hackers, including R.T. Jones, have had data breaches take place directly or indirectly through their vendors’ networks or facilities. The SEC guidance says networks should be protected both physically and digitally.
“Advisors will want to have the highest level of security,” Attias says. “That means, of course, that they need to have anti-virus software. They need to have their data encrypted. That also drills down to the security of the facility that houses the network.”
Advisors also have to provide regular training in information security and risks for employees and vendors.
While it might seem that RIAs, who typically partner with a larger firm or a broker-dealer to hold client assets, have an additional level of protection against hackers, difficulties remain as companies try to sort out who is responsible for protecting which pieces of data.
The SEC’s research says advisors also lag brokers in drafting plans to mitigate the impact of data breaches, and in February, the Financial Industry Regulatory Authority (Finra) released a report for broker-dealers criticizing their poor state of readiness for a cyberattack, focusing more on the firms’ response and remediation procedures than their data protection and prevention measures.
A firm’s response to a breach — particularly the speed at which it stops the hack and notifies customers — has become another point of emphasis.
In the R.T. Jones case, the firm immediately hired a forensic examiner to investigate the breach and began notifying individuals whose information was exposed — which may have helped mitigate its SEC sanctions.
Attias says that the SEC’s cybersecurity requirements will continue to evolve, which is a boon to firms like External IT.
“I think the next step over the next few years is going to be an audit trail so you can see who has been accessing what over time,” Attias says. “For us, this is a positive. At this point IT and security have become synonymous, everything from an IT perspective has to be secured and controlled. Since most of these guidelines are already IT-related, it’s good for us because it crystalizes the need for advisors to have a partner with their firms to take care of their IT needs in a secure, complaint manner.”