Are your funds safe when held by online brokerages? SEC cybersecurity exam of 100 broker-dealers reveals high risk

The Securities and Exchange Commission (SEC) yesterday released publications that address cybersecurity at brokerage and advisory firms and provide suggestions to investors on ways to protect their online investment accounts.

Cybersecurity threats know no boundaries.  That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC,” said SEC Chair Mary Jo White.  “Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks.”

Risk Alert, a recent publication by the SEC’s Office of Compliance Inspections and Examinations (OCIE), contains observations based on examinations of more than 100 broker-dealers and investment advisers.

Of those surveyed, more than half of U.S. brokerage firms admitted that they had been targeted by email scams aimed at tricking them into wiring away client money.

Recently, Timothy Massad, Chairman of the Commodity Futures Trading Commission (CFTC) stated publicly that the regulatory authority over which he presides is so underfunded that it cannot keep pace with the technological change required to combat cyber security and internet fraud.

In many cases, brokers believed the impostors and transferred the funds, resulting in brokerage companies having to reimburse their clients. Of the brokerage firms that received the fraudulent emails, 26% reported losses of more than $5,000, according to the Securities and Exchange Commission.

The SEC last year sampled 106 firms—57 broker-dealers and 49 registered investment advisers—to assess the industry’s cybersecurity risk.

On Tuesday this week, the SEC stated that 88% of the broker-dealers and 74% of RIAs it examined for its report had experienced some form of a cyberattack.

The examinations focused on how these firms:

  • Identify cybersecurity risks
  • Establish cybersecurity policies, procedures, and oversight processes
  • Protect their networks and information
  • Identify and address risks associated with remote access to client information, funds transfer requests, and third-party vendors
  • Detect unauthorized activity

“Our examinations assessed a cross-section of the industry as a way to inform the Commission on the current state of cybersecurity preparedness,” said OCIE Director Andrew Bowden.  “We hope that investors and industry participants will also benefit from what we have learned.”

The second publication, an Investor Bulletin issued by the SEC’s Office of Investor Education and Advocacy (OIEA), provides core tips to help investors safeguard their online investment accounts, including:

  • Pick a “strong” password
  • Use two-step verification
  • Exercise caution when using public networks and wireless connections

“As investors increasingly use web-based investment accounts, it is critical that they take tical that they take steps to safeguard those accounts,” said OIEA Director Lori J. Schock.  “This bulletin provides everyday investors with a set of useful tips to help protect themselves from cyber-criminals and online fraud.”

For the official announcement from the SEC, click here.

Read Also: