This post brings us to an overview of the final panel at today’s SEC Cybersecurity Roundtable. The panel began with a discussion on the nature of the cybersecurity risks faced by broker-dealers, and the steps taken by FINRA to address the issue. FINRA is in the process of developing protocols, particularly when dealing with personally identifiable information. To help develop these protocols, FINRA has been surveying broker-dealers to determine their areas of concern. Interestingly, broker-dealers are focused on (in order of importance): operational risks, insider risks, and hackers penetrating their systems.
The panel members representing investment advisors were primarily concerned with the potential takeover of a client account. Clearly, the notion of a hacker taking control of a trust account is a scary notion. Other areas of concern included activism through denial of service attacks on large financial institutions, and theft by individual employees. Asset managers recognize that cybersecurity and the threat of cyber attacks are not IT problems, but rather enterprise issues to be addressed at the highest levels. In particular, the panelists noted that wealth management firms receive a large volume of e-mails from consumer accounts that were taken over or compromised. This paradigm creates the risk of a very plausible scenario whereby a client seemingly sends a set of instructions, only to discover that it was an attempt at theft by a hacker.
All members of the panel acknowledged that one of the most significant issues facing financial services companies is the struggle to keep up with the changing face of cyber attacks. The rapidly expanding power of technology as well as the sophistication of hackers is allowing more people from around the globe to launch more robust attacks. In short, today’s solutions are useless for defending against tomorrow’s threats.
So, does size matter? With regard to broker-dealers, over 50% of registered broker-dealers are small businesses comprised of less than 10 employees. As a result, they are less prepared and more vulnerable than large financial institutions. While hackers are tempted to attack large companies because they possess more information—on a volume basis—the smaller companies present a softer target. Smaller companies may be an easy point of entry from which to work upstream to the larger institutions. This is exactly what happened in the case of the Target breach.
Raising a very interesting and troubling point, the panel delved into the move from fixed terminals to mobile devises. The venerable BlackBerry was designed from the outset to be highly secure; hence its broad enterprise acceptance. Today’s new phones—Android /IOS—are highly popular, but lack reliable security protocols. Yet, businesses are routinely launching new apps—ironically through these new, less secure mobile devices—to help facilitate consumers with managing their accounts. The need to grow market share and meet consumer demand versus the need for security will therefore continue to be a point of tension in today’s market.
So, where do we go from here? What should the SEC do or not do? The panel was looking for principle-based guidance and not proscriptive rules because hard and fast rules will be out of date almost immediately after they are issued due to the changing nature of the cyber threat. As a result, guidelines/principles/goals are more likely to be productive and permit companies to comply with the SEC while battling the cybersecurity threat.
Unanimity was achieved amongst the panel on the need to have clear guidelines for sharing threat information with the government while being simultaneously protected from legal liability. Members of the panel expressed the desire to have the various arms of the government (SEC, DHS, FBI, FTC, etc.) coordinate with one another in order to have a harmonious set of enforcement/regulatory regimes. Joining the loud chorus from the other panel discussion takeaways, it was noted that companies have a strong self interest in protecting themselves from cyber attacks, so they are looking for the government to help them and not treat them as a perpetrator.
Moderators: David Grim, Deputy Director, Division of Investment Management, James Burns, Deputy Director, Division of Trading and Markets, Andrew Bowden, Director, Office of Compliance Inspections and Examinations
- John Denning, Senior Vice President, Operational Policy Integration, Development & Strategy, Bank of America/Merrill Lynch
- Jimmie H. Lenz, Senior Vice President, Chief Risk and Credit Officer, Wells Fargo Advisors LLC
- Mark R. Manley, Senior Vice President, Deputy General Counsel, and Chief Compliance Officer, AllianceBernstein L.P.
- Marcus Prendergast, Director and Corporate Information Security Officer, ITG
- Karl Schimmeck, Managing Director, Financial Services Operations, Securities Industry and Financial Markets Association
- Daniel M. Sibears, Executive Vice President, Regulatory Operations/Shared Services, FINRA
- John Reed Stark, Managing Director, Stroz Friedberg
- Craig Thomas, Chief Information Security Officer, Computershare
- David G. Tittsworth, Executive Director and Executive Vice President, Investment Adviser Association