Reports from the SEC and FINRA on cybersecurity in the finance industry show varied levels of preparedness and the potential for big, unforced errors

Two reports on cybersecurity in the finance industry from the SEC and FINRA released this week are light on detail but give the impression that there’s still a lot of work that needs to be done if high profile attacks like the one against JPMorgan earlier this year are going to be avoided.

Scam Emails Brokers SEC

SEC gives more information on the current state of finance cybersecurity

Of the two reports, the SEC gives us more information about what the finance industry is currently doing to protect itself, while FINRA is focused on best practices that it believes brokers and advisors should take (it’s careful to point out that none of the suggestions imply any new regulations in the pipeline). But even then it’s hard to know what the survey really means.

For example, the SEC says that 98% of brokers and 91% of advisors use encryption in some form, but it doesn’t tell us if they’re using it correctly (there are plenty of dumb ways to use any security tool) or what is being encrypted: client data, email communications, login credentials? That the vast majority of brokers are doing something doesn’t mean they are following best practices.

Scam Emails Brokers SEC

Brokers are still falling for phishing attacks

Probably the most disturbing finding in the SEC report is that 26% of brokers reported individual losses above $5000 because they fell for scam emails asking them to transfer client funds with one broker losing $75,000, and it doesn’t say how many accidentally sent off smaller amounts. That’s not just embarrassing, it shows how little thought brokers are putting into cybersecurity. If you can’t even get people to stop falling for phishing scams, it’s not terribly realistic to expect them to follow more demanding operational security protocols.

While the client who lost $75,000 was made whole, the SEC writes that “written policies and procedures generally do not address how firms determine whether they are responsible for client losses associated with cyber incidents.”

Vendors also need proper security training

While the quality of security training that brokers and advisors offer their staff needs to improve, only 51% of vendors and 13% of advisors have policies about the training of their vendors’ staff, even though vendors have access to their clients’ network and many firms report being attacked indirectly through vendors.