This morning, the SEC issued a risk alert to release the results of its recent cybersecurity examination sweep of 57 registered broker-dealers and 49 registered investment adviser (RIA) firms. This release of results follows a April, 15, 2014 risk alert issued by the SEC which included a sample RIA cybersecurity information request list. Today's release also comes only a few months after the North American Securities Administrators Association, Inc. (NASAA) released the survey results of its recent cybersecurity project looking at 440 RIA firms across 9 states. Thus, it's evident that both SEC and state-registered RIA firms need to remain very focused on information technology security as it will likely remain a hot RIA compliance topic for many years to come.
Some key takeaways from the SEC's cybersecurity examination sweep results are:
- Compared to only 4.1% of 440 state-registered RIA firms surveyed by NASAA, 74% of the 49 investment advisory firms audited during the sweep by the SEC reported that the firm had experienced a cyber-attack. While the truth is likely somewhere in the middle, these differing stats lead to to two potential conclusions:
- Larger firms are more frequent targets of cyber-attacks
- Smaller firms may not be fully aware that they have been the target of a cyber-attack
- 83% of advisory firms examined by the SEC have adopted written information security policies. This compares to 76.9% of state-registered firms survey by NASAA that at least have some form of an information security policy. Probing further, 51% of SEC-audited firms have a business continuity plan (BCP) that addresses the impact of cyber-attacks or intrusions. This compares to 39.6% of smaller RIA firms surveyed by NASAA. Unfortunately, as the SEC report highlights, only 13% of the advisory firms it reviewed have a policy in place to determine if the firm is responsible for client losses associated with information security incidents.
- 79% of RIA firms audited by the SEC conduct periodic risk assessments to identify cybersecurity threats and vulnerabilities. On the other hand, NASAA reports that 62% of firms under state jurisdiction perform such risk assessments. The SEC release goes on to highlight that only 32% of the advisory firms that it audited required 3rd party vendors with access to the firm's networks to also conduct similar risk assessments.
- A key SEC finding that should put all RIA firms on alert is that 43% of the advisory firms it reviewed reported receiving fraudulent emails seeking to transfer client funds. In particular, one RIA firm reported a client loss of more than $75,000 related to a fraudulent email. In this case, the firm ultimately made the client whole.
- The SEC reports that 21% of the advisory firms it audited currently have cybersecurity insurance. This compares to 17% of state-registered investment advisers surveyed by NASAA. To date, only one firm examined by the SEC reported filing a cybersecurity insurance claim.
In summary, it appears that the vast majority of RIA firms, and in particular larger firms registered at the federal level, are beginning to properly implement the necessary policies and procedures to address potential cybersecurity issues. However, simply forming a policy is not enough, and advisory firms of all sizes need to continue be more vigilant as it relates to information security threats. This vigilance should include not only ensuring that proper policies and procedures are implemented but also ensuring that the policies are followed and tested on a regular basis.
Furthermore, as RIA compliance consultants, we strongly recommend that the Chief Compliance Officer (CCO) of all investment advisory firms take these actions as part of the firm's efforts to address potential information security issues:
- Review both the SEC cybersecurity sweep results and the NASAA cybersecurity survey results.
- Review the SEC's latest investor bulletin targeted to help retail clients protect online brokerage accounts from fraud. While the bulletin is meant for retail clients, many of the tips are also good starting points for RIA firms to implement when it comes to employee policies and best practices on topics such as two-factor authentication and not clicking on suspicious links which are emailed.
- Download our free checklist: 10 Steps RIA firms Can Take to Address Cybersecurity Threats.
- Review the firm's policies and procedures manual to ensure that the proper policies are in place to:
- Review and perform due diligence on third party vendors
- Conduct firm-wide technology and information security risk assessments on a regular basis
- Ensure business continuity after an information security incident
- Determine the responsibility of client financial losses related to cyber attacks
- Ensure that data encryption is being utilized when possible.
- Consider obtaining cybersecurity insurance as traditional professional liability / errors and omissions insurance policies will not protect RIA firms against cyber attacks.