|
 At least 88 percent of securities brokerages and 74 percent of
investment advisory firms have been targets of cyberattacks, the
U.S. Securities and Exchange Commission (SEC) said in a Feb 3
report.
The SEC and Financial Industry Regulatory Authority (FINRA) have
made checking up on firms’ cybersecurity practices a priority for
their examiners this year.
Even the largest firms, with armies of technology professionals at
their disposal, can struggle to answer examiners' queries about
cyber-preparedness. The task is an even bigger challenge at smaller
firms, where preparations fall to a handful of individuals, and
sometimes one.
How much work is involved? "That’s where your soul breaks," said
David Edwards, president of Heron Financial Group, LLC, an
investment advisory firm in New York that manages $171 million in
assets.
Edwards launched a major cybersecurity upgrade at his seven-person
firm last year, after receiving a spate of fake messages from
clients’ hacked personal email accounts asking for money transfers.
Edwards is wrapping up the six-month-long project, which consumed
roughly one day of his time each week, he said.
Firms which cannot afford to employ round-the-clock technology
departments are facing mounting responsibilities as hackers become
more aggressive and regulators ramp up their scrutiny of precautions
firms are taking against such threats.
Fortunately, guidance is plentiful. A FINRA cybersecurity report
published last week, for example, can serve as a starting point for
firms that are struggling with the basics, said Joseph Rivela, chief
strategist for Breach Intelligence LLC, a Farmington, Connecticut
information security firm.
The 46-page report is a detailed primer on cybersecurity best
practices, such as conducting periodic reviews to look for potential
threats and developing policies that may restrict certain employees
from some kinds of programs.
[to top of second column] |
Developing new policies can be a long-term task. But firms can take
some immediate steps to protect data while working toward the larger
goal, Rivela said. For example, an inventory of technology devices
can unearth laptops and servers that the firm no longer needs.
Unplugging those devices cuts off pathways that hackers can use to
access data, Rivela said.
Other short-term steps can include prohibiting employees from
sharing passwords, a common practice at small firms, said Emily
Gordy, a lawyer in Potomac, Maryland who advises firms on regulatory
issues. Firms should also have procedures for cutting off computer
privileges for employees who leave, Gordy said.
Still, there are many precautions that small firms cannot take on
alone. Many are turning to secure cloud-based services, from
companies such as Abacus Group LLC in New York and International
Business Machines Corp to manage their back office and business
systems, Rivela said.
Heron's Edwards, who worked in the technology field before becoming
an adviser, has also hired outside companies to help with antivirus
software, technology upgrades, and testing his systems for
vulnerabilities. “You can’t possibly have this kind of expertise in
house unless you’re JP Morgan,” he said.
(Reporting by Suzanne Barlyn; Editing by Christian Plumb)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
