By: Joseph Fede, CPA Supervisor – WithumSmith+Brown, PC
Cybersecurity is the new hot topic in the financial services industry, especially in the wake of several high profilecyber-attacks that have taken place in the United States. These cyber-attacks have ranged from large corporations such as Home Depot and Sony, to the Federal Government. These cyber-attacks are becoming more frequent and more sophisticated. As business and technology become more integrated nearly every transaction in today’s economy is conducted in whole or in part online.
Financial institutions are in a unique position of vulnerability. Not only do they maintain financial information valuable to hackers, but they play a critical role in national and global markets and any data breach could result in severe consequences. Financial firms have used third party service providers to mitigate the risk of cyber-attacks, however recent attacks have proven this method ineffective. With firms relying solely on third parties, any breach in service can cause major issues. As a result, an effective approach to cybersecurity concerns is particularly important and firms are beginning to take a proactive internal approach.
Major financial services organizations such as the Financial Industry Regulatory Authority (FINRA), the Investment Advisory Association (IAA) and the ACA Compliance Group (ACA), have led the way in the fight against cyber-attacks providing research, tips and suggested practices to increase awareness and help firms become less vulnerable. FINRA has recently conducted an assessment of various firms to understand their approach to managing cyber threats. Overall, the purpose was to identify common issues and provide feedback on best practices. Below is a list of some recommendations based upon the assessment.
• Perform cybersecurity risk assessment and include active senior management and board members.
• Assess internal and external threats and areas of vulnerability.
• Increase IT controls which involve data encryption and access management.
• Have a response preparation protocol in place in case of a successful attack.
• Perform thorough due diligence on third party service providers.
• Keep staff informed, well trained in the cyber security area and up to date on recent attacks.
Recently, a survey of 474 financial institutions and advisory firms conducted by the IAA and ACA identify some steps being taken and issues that are arising from recent threats. Below are some results from the survey.
• Nearly 88% of the 474 advisory firms polled identified “cybersecurity/privacy/identity theft” as their top compliance challenge this year.
• About 43% report having a formal, written, standalone cybersecurity program, while another 42% have formal cybersecurity policies and procedures that are incorporated into broader programs.
• The incidence of cyber breaches has jumped, with 15% of advisors reporting being the victim of a cybersecurity breach in the past 18 months, up from 11% last year.
• The advisory firms also reported increased compliance testing in the following areas: cybersecurity/privacy/identity theft (67.9%); advertising/marketing (43%); personal trading/code of ethics (34%); disaster recovery planning (35%), and best execution (32%).
• Nearly half (47%) prohibit the use of personal social networking websites for business purposes, down slightly from 49% in 2013.
This compliance survey comes at a time when more than 3,000 financial institutions have applied for .BANK domain names, which is a new online bank community that uses enhanced security requirements and strict verification standards to provide banks and their customers with a safer place to conduct online business.
The Securities and Exchange Commission (SEC) and Federal Bureau of Investigations (FBI) are lending a helping hand based on what they are learning from the more recent high profile attacks. The SEC recently sponsored a Cybersecurity Roundtable and emphasized the importance of cybersecurity at registered entities to the integrity of the market system and the need for effective cooperation between government and the private sector to respond to increasing cyber threats. While the FBI has used its resources internally with agents, computer scientists and top minds from the private sector to combat these cyber-attacks.
Cybersecurity is a key risk that the financial services industry faces today and that will likely grow in importance in the coming years. The SEC and FINRA have made it clear that they are keeping this a top priority and will use all resources to improve security. FINRA is expecting the same level of concern and proactive approach from firm management hoping they will devote sufficient resources both to understand the current cybersecurity threats and to implement measures necessary to mitigate these risks.
If you have questions or concerns surrounding cybersecurity or financial services, please contact your WithumSmith+Brown representative.