The SEC says many financial advice firms are falling short when it comes to cybersecurity, with investment advice firms being less prepared than broker-dealers, Reuters writes.

As part of its second stage of cybersecurity exams initiated in 2014, the SEC analyzed 75 firms and found that 26% of the companies don’t conduct risk assessments on a continuous basis and 57% of the firms fail to carry out vulnerability and penetration tests with simulated attacks on critical systems, according to the newswire.

Skipping such procedures exposes financial advice firms and their clients to cyberthreats such as the WannaCry ransomware attack earlier this year that hit networks in more than 100 countries, Reuters writes.

The SEC has concluded that investment advice firms have had more issues with cybersecurity than broker-dealers, according to the newswire. On the other hand, the SEC learned that almost all investment advisors practiced regular system maintenance as part of their cybersecurity process, namely by consistently installing security patches, Reuters writes.

Only 4% of the companies examined were missing essential patches or updates, according to the newswire.


To properly conduct continuous assessments, the SEC recommends firms review the information they collect and where they store it, consider both internal and external threats as well as the security in place, and understand the impact of a potential attack on their advisors and their clients, Reuters writes. Ongoing assessments should build on an initial assessment.

The SEC says advice firms need to provide the watchdog with their company policies on penetration testing, whether conducted internally or by a third party, the results of such tests and any remedial steps taken, Reuters writes.