Regulators agree that cybersecurity threats pose significant risks to financial firms, investors and the markets. As a result, cybersecurity practices are a key focus for regulatory examinations this year for both the Financial Industry Regulatory Authority (FINRA) and the U.S. Securities and Exchange Commission (SEC).

At the recent 2017 FINRA Annual Conference, David Kelley, Surveillance Director, Kansas City District Office, FINRA, moderated a panel of Richard Hannibal, Assistant Director, Office of Compliance Inspections and Examinations, U.S. Securities and Exchange Commission (SEC), Stephanie Mumford, Chief Compliance Officer and Senior Legal Counsel, T. Rowe Price Investment Services, Inc., and Andy Zolper, Senior Vice President and Chief Information Security Officer, Raymond James Financial, Inc. to provide guidance on cybersecurity practices for the financial services industry.

What Cybersecurity Lapses Are Regulators Finding During Exams?

“Cybersecurity is a huge priority for the SEC” said Hannibal. About one third of examined firms had client losses that were cyber-related, but fortunately, they were not large amounts. The SEC is also seeing problems with third-party wires where employees fail to properly authenticate customers’ requests. The majority of the firms examined by the SEC had unauthorized external distributions of Personally Identifiable Information (PII) such as deliveries of information to the wrong customer, or to the wrong persons within the firm. As of exams conducted through May, the SEC had not identified ransomware as a problem, but that could change at any time. The SEC has also has seen issues with phish emails and spear phishing. They also have heard that firms’ employees are clicking on problematic attachments in more than 20 percent of time. “There is work to be done to better protect firms” concluded Hannibal.

Best Practices

Mitigate the risk of cyber-attacks at your firm through these five best practices:

  • Governance
  • Risk Assessment
  • Cyber Security Training
  • Access Management
  • Vendor Management

Read more details on each of these best practices here.

Author: Joanna Belbey