A quarter of broker/dealers have suffered losses of more than $5,000 after receiving fraudulent emails seeking to transfer client funds, according to the Securities and Exchange Commission.
On Tuesday, the SEC and the Financial Industry Regulatory Authority released reports on information gathered from their cybersecurity sweeps conducted in 2014. The SEC’s sweeps encompassed 57 broker/dealers and 49 registered investment advisors, while FINRA’s data was gathered from 224 b/ds.
Other key findings include:
- Fifty-four percent of b/ds and 43 percent of RIAs say they’ve received phishing and fraudulent emails seeking to transfer client funds.
- Only one RIA (out of the 49 surveyed) reported a loss related to an email scheme. But that attack cost the advisor more than $75,000 in losses.
In both surveys, b/ds said employees could be the weak link.
- A quarter of those firms that had suffered losses reported the breach was the result of employees failing to follow identity authentication measures.
- About 95 percent of b/ds said they mandated training for staff, according to FINRA’s sweep.
- Only a small portion of firms reported employee intentional misconduct—11 percent of b/ds and 4 percent of advisors.
When it comes to protecting against breaches
Most b/ds have written information security policies, but these policies generally don’t address how to determine who is responsible for client losses around cyber attacks. The regulators may have only asked about cybersecurity measures in these most recent sweeps, but regulation and enforcement could be on the way. Yet many advisors may not have the resources in-house to meet regulators’ expectations. And securing their systems is going to require outside help and a hefty investment. “It’s just way too much for a typical advisor to handle,” Donald J. Kalil, president of Wilmington, Del.-based Affinity Wealth Management, told WealthManagement.com in August after receiving the SEC's information request. “The typical IA is going to have one or two IT people, and that questionnaire is essentially one that even a giant b/d conglomerate would have trouble relating to," John Reed Stark, managing director at cyber security firm Stroz Friedberg and former Internet enforcement at the SEC, said at the time. Stark doesn’t believe it’s simply a request for information to get an idea for what advisors are doing. SEC staff members told Stark that the preliminary results of the sweep were poor, in his recent conversations with them. “They’re not just going to sit on a bunch of poor responses and say, ‘OK, isn’t that interesting?’” Stark said. “They’re either going to bring enforcement cases, or they’re going to do rulemaking. And I don’t see how you can do rulemaking in this space because technology is ever-changing.” -Additional reporting by Diana Britton.