When it comes to cybersecurity, independent broker-dealers lag the wider industry on utilizing basic safeguards to protect customer information and prevent fraudulent activity.
After the Securities and Exchange Commission and the Financial Industry Regulatory Authority performed cybersecurity sweeps in 2014 and released the results early last year, the Financial Services Institute surveyed 39 of its members in the second half of 2015.
The results showed that over two-thirds of firms had not experienced a cybersecurity incident in 2013 or 2014, while over 74 percent of investment advisers surveyed by the SEC reported experiencing a cyber-related attack during the same period. The SEC found the majority of the cyber-related incidents were due to malware and fraudulent emails.
“So either FSI member firms are doing a lot better job than the industry overall, or maybe people were not forthcoming, or maybe it was a self-selecting bias that only firms that felt good about how they were doing. I don’t know,” says Brian Rubin, a partner specializing in securities law with Sutherland Asbill & Brennan.
Yet the low number of reported incidents did not correlate to the level of policies and procedures firms reported having in place. When it came to preparedness, only 77 percent of firms surveyed by FSI maintained written cybersecurity policies and procedures. The SEC found in its sweep that 93 percent of investment advisors had these written policies in place.
“You should be warned if you don’t have policies and procedures, those could be easy enforcement actions for both the SEC and FINRA. They have brought a number of enforcement actions where firms had insufficient or limited guidance,” Rubin says.
When it comes to email encryption, about 88 percent of IBDs surveyed use it, compared to 98 percent of the firms in the SEC sweep. Moreover, fewer independent broker/dealers performed risk assessments or had business continuity plans in place to address cybersecurity issues compared to the RIAs surveyed by the SEC.
Many firms also were not using common customer authentication policies and procedures. Just over half of IBDs surveyed had customer portals that used two-factor authentication to help decrease the chance that an illegitimate user has accessed a customer’s account. Only about 72 percent of IBDs surveyed maintained policies and procedures for authenticating customer instructions received via e-mail.
“It may be that becomes a de facto standard that the SEC and FINRA has it, so if you don’t have it, you’re deficient, so that’s something you should be watching out for,” Rubin says.