The vast majority of registered investment advisers now have written information security policies in place, but significantly less conduct periodic risk assessments on third-party vendors with access to their firms’ networks, the Securities and Exchange Commission (SEC) found after testing the cybersecurity preparedness of some 100 registered broker-dealers and investment advisers over the last year.
In a risk alert issued Tuesday, the commission found that a majority of advisers have implemented basic cybersecurity strategies – such as including a cyberattack as part of their business continuity planning – but that few firms were reporting fraudulent emails to the Financial Crimes Enforcement Network and following other advanced cybersecurity best practices. A second release issued Tuesday by the agency’s Office of Investor Education and Advocacy provides investors ways to protect their online accounts, including the suggestion that passwords are validated through a two-step verification process.
In a press release accompanying the risk alert and bulletin, SEC chair Mary Jo White said that cybersecurity “has been and will continue to be an important focus of the SEC.”
The release of the findings raises questions about whether the SEC will create specific guidance on cybersecurity, which Congress and the White House have made a public-sector priority over the past two years. Last month, the SEC’s top inspector, Drew Bowden, reportedly said the agency plans to publish cybersecurity guidance for financial advisers this year. However, compliance experts say the guidance is expected to provide advisers a benchmark on what the industry is doing rather than provide a list of best practices or rules.
In most instances, the risk alert found that broker-dealers were more diligent about their cybersecurity readiness compared to advisers; a result that may be explained by broker-dealers having to handle a higher volume of trading and more client relationships. More than half (58 percent) of the broker-dealers examined maintain insurance for cybersecurity incidents. In contrast, a small number of the advisers (21 percent) maintain insurance that covers losses and expenses attributable to cybersecurity incidents, the risk alert said.
For an in-depth report on how private fund managers are addressing cybersecurity challenges, see the February issue of pfm.