When it comes to mitigating cybersecurity attacks, broker-dealers are quickly taking a chapter out of the textbook on good dental hygiene.
Just as regular brushing and flossing can go a long way to preventing tooth decay and gum disease, so can a consistent program of vigilance work against aggressive external and internal hackers, say cybersecurity experts.
With the US Securities and Exchange Commission and Financial Industry Regulatory Authority making evaluating cybersecurity practices a priority for their examiners this year, broker-dealers must be able to prove they are alert around the clock. The regulators have reason to be concerned. At least 88 percent of broker-dealers have been the targets of cyberattacks, according to a February 3 report issued by the SEC, which examined 57 broker-dealers during 2014. That compares to about 74 percent for the 49 investment advisers also evaluated.
“Regulators are interpreting cybersecurity threats as affecting systemic risk,” explains J Paul Haynes, chief executive of data security management firm eSentire in Cambridge, Canada who spoke during a conference call on cybersecurity held by the Security Traders Association (STA) on Wednesday afternoon, attended by representatives of 75 firms in the US and Canada. “So far they have not come out with prescriptive rules on what financial firms should do because the landscape of threat changes so quickly.”
However, that doesn’t mean that broker-dealers will be off the hook. A new report just issued by FINRA calls on broker-dealers to establish policies, procedures and controls for addressing cyberthreats and responding to attacks. Directors will need to understand and view cybersecurity as an enterprise wide-risk management issue and not just an IT issue. “What is required is a rigorous attention to detail and execution,” says the report, whose recommendations are similar to those also offered by the SEC.
In its new report on the findings of an examination sweep last year, the SEC concluded that although most brokers and investment advisers do inventory their technology systems, software and devices for cybersecurity risk. they differ in their diligence. About 89 percent of broker-dealers audit their written cybersecurity polocies to determine their firm’s compliance, while only 57 percent of investment advisers do so. Other differences: about two-thirds of brokers rely on a chief information security officer, compared to only 30 percent of investment advisers, who tend to delegate the work to their chief technology officers or other staff members.
The SEC did not differentiate between tier-one or smaller-sized broker-dealers, but the latter are likely behind the curve, suggests Haynes, who offered some pointers at the STA conference call moderated by the trade group’s president Jim Toes. Smaller firms, he noted, typically lack the armies of technology professionals, expertise, and most likely the deep pockets required to effectively prevent security breaches.
Given the potential for cyberattacks to come from a diverse group of players — ranging from the foreign governments all the way to insiders — even the smallest players can ramp up their vigilance, says Haynes who came up with the following suggestions:
1. Right-size your policies and procedures
A one-size fits all approach isn’t the best, because it will be too costly and ineffective. “Broker-dealers need to determine just which applications, devices and data are the most vulnerable to cyberattacks and prepare according to the level of risk,” says Haynes.
That doesn’t just mean vulnerability in software and hardware, but also in everyday communications systems. Here is one way cybersecurity criminals work: they check out the LinkedIn and Facebook pages of executives at a company and send phishing emails to harvest their credentials. They use the hijacked credentials to access the network more laterally, and then gather valuable data before monetizing it. The process is like a slow dance, taking anywhere from a few days to a few months to complete.
2. Keep vigilant 24/7
Cybersecurity criminals don’t work a 9 AM to 5 PM job. They actually conduct most of their reconnaissance overnight. “Broker-dealers need to continuously monitor their network to detect any irregularities 24 hours a day,” recommends Haynes. “Always operate on the premise you are being hacked because in all likelihood you are and don’t know it.”
Among the irregularities which should raise red flags are the appearance of IP addresses from countries in which the firm does no business, credentials of low-level employees used to gain access to high-value documents and servers, higher than normal volumes of traffic during odd hours, and unusual encryption protocols. “The adage where there is smoke there is fire should always apply,” cautions Haynes.
3. Educate staff
Employees should be the first line of defense, looking out for suspicious emails and attachments. Skepticism, not trust, is the modus operandi. “If an employee gets an email from a bank it doesn’t use or an individual it doesn’t know, it’s best not to respond,” cautions Haynes. Cybercriminals are eager to bait executives to click onto their so-called phishing emails which will then allow them to invade computers. “E-mail phishing is highly successful because the emails look and smell like the real thing,” says Haynes. The safe bet: do not click onto the suspicious email or even call the telephone number indicated. Instead, call the reputable bank or organization cited directly to report the phishing scam.
Yet another common mistake which can easily be corrected: using weak passwords and sharing passwords between workplace applications and social media. “Why make it easier for someone with sinister motives to guess or crack your password and then be given access to all your work and personal data,” asks Haynes. The alternative: creating strong passcodes with varying characters, using a different password for each application, and changing passcodes often.
4. Prepare for the inevitable
“There is no such thing as 100 percent security,” asserts Haynes. In worst case scenarios, broker-dealers not only need to decide how to curtail the financial damage, but who to notify. “Regulators are aware that hacking happens all the time, but firms don’t necessarily report on it,” he says. Among the parties which might need to be informed depending on the severity of the cybersecurity attack, are the chief executive, board of directors, regulators, law enforcement agencies and investors.
“Cybersecurity is still an evolving topic and it’s likely that FINRA will be issuing more reports and guidance,” says Toes in his parting words of advice to listeners. “Still, it’s best to start elevating the topic to the C-level suite now. By educating the industry on specific cybersecurity attacks and outlining certain procedures and policies, the SEC and FINRA have laid out a solid foundation for firms to follow proper controls.”
Leave a Comment
You must be logged in to post a comment.