Advisors Could Be the Weakest Cybersecurity Link at Their Firm
Advisors are being told to pay attention to their firms’ cybersecurity training because they -- or any individual -- could be the firm's weakest link.
A Finra conference on cybersecurity, held in February, highlighted the vulnerabilities of the financial advisory industry against cyberattacks and the need for firms to step up their protection against and detection of such threats.
Steven Polansky, senior director at Finra’s Office of Regulatory Operations/Shared Services, said the self-regulator considers cybersecurity a top priority. "It’s not a coincidence that cybersecurity was number one in our exam findings," he said at the conference.
Polansky was referring to the first-ever report published by Finra on the summary of its findings from broker-dealer firm exams. The report covers the regulator’s observations on issues it feels potentially impact investors and the markets or occur frequently.
Finra said in the report that cybersecurity is one of the principal operational risks facing broker-dealer firms. The self-regulator noted that most broker-dealer firms examined last year established, or were establishing, risk management practices. But the quality of those practices varies "substantially" both within and across firms, it noted.
"In the environment that we’re in it’s virtually impossible to prevent all cybersecurity threats," Melissa Vacon, assistant vice president of information services at Signator Investors, the independent broker-dealer of John Hancock Financial Network, said at the conference.
Jeff Lanza, a retired FBI agent, stressed at the conference how employee education is important because no matter how sophisticated a firm’s cyberprotection protocols are, they could still suffer from a breach because of the actions of the firm’s weakest link -- a careless or uninformed employee.
Phishing emails remain one of the most common types of cyberattacks, and such schemes are commonly wielded by "cybercriminals" using mass emails or pop-up messages that appear on computers, websites or social media with the goal of getting at least one individual in a firm to take the bait, he said.
The usual aim of the attack is access to data and personal or financial accounts, account takeovers or wire fraud. But phishing schemes are also avenues to deliver ransomware attacks that could hold an entire company’s cybersystems hostage, he said.
Signator Investors’ Vacon said cyberfraudsters are "sophisticated, smart and persistent" and "they are going to find that vulnerability and exploit that."
In its exam findings report Finra said firms with effective cybersecurity programs typically established strong governance structures and processes that addressed cybersecurity in a risk management context. Those firms escalated risk acceptance decisions and problems to the appropriate levels for resolution, it said. The measures implemented by those firms included regular risk assessments with detailed, time-bound follow-up action plans to resolve higher-risk concerns.
And it wasn’t enough that firms had plans and protections in place. Finra said those firms conducted regular vulnerability and penetration tests and required employees to participate in regular, role-specific and generic cybersecurity training and testing, such as through phishing email exercises.
Ann Grady, chief compliance officer at Tastyworks, a startup broker-dealer firm that was set up in January 2017, said incorporating cybersecurity risk is still fairly new for CCOs. She noted that some firms already have chief information security officers, but this is still a relatively new role in the industry.
"I believe that this is a time in the industry when the CISO is an important role like never before," she said. At Grady’s firm, the chief information officer is also responsible for cybersecurity, she noted.
Grady said "one of the things that stresses" her out in her role as CCO is the "vastness of the risks" involved in cybersecurity.
At the December hearing on the implementation and cybersecurity protocols of the SEC’s Consolidated Audit Trail before the U.S. House of Representatives’ Subcommittee on Capital Markets, Securities and Investments, the scarcity of CISOs was among the reasons cited for the delay in hiring the CAT’s own CISO. That role -- critical to ensuring cybersecurity for the CAT -- was finally filled in February with the hiring of Vas Rajan. The CAT is expected to take in 58 billion broker-dealer records daily -- including orders, cancellations, modifications, executions and quotes for the equities and options markets -- as well as maintain data for more than 100 million customer accounts and their unique customer information.
Jose Dominguez, CISO at TD Ameritrade, describes himself as among the few CISOs in the financial advice industry. His role is to take the lead with all cybersecurity issues, hold regular meetings with relevant people at the firm, regularly monitor the firm’s risk profile, and keep up to date with developments in cyberspace, among other things.
Dominguez said his team "piggybacks" its cybersecurity training of TD Ameritrade employees with the firm’s annual compliance training.
He said the cybersecurity team "exercises" its plan at least once a year. He believes such practices ensure "you will learn valuable lessons, like who owns the communication internally and with the press when there is a cyberattack."