IA brief: Account takeovers are big cybersecurity risk for advisers

April 24, 2014

By Jason Wallace, Compliance Complete

NEW YORK, April 24, 2014 (Thomson Reuters Accelus) – A recent cybersecurity roundtable hosted by the Securities and Exchange Commission should act as a call to action for investment advisers, as the threat of cyber attacks is high for all companies and increasing daily, say event panelists.

Investment advisers, whether small or midsize, are not immune from these attacks and now is a good time to recognize the firm’s risks, review available guidance, hone formal policies and procedures, and preparing for an imminent SEC exam module concerning cybersecurity.

David Tittsworth’s, executive director of the Investment Adviser Association, gave the roundtable an overview of the cybersecurity risks often seen in the adviser community. A traditional adviser or investment manager’s top risk is account takeover. For private and institutional wealth-management advisers, the risks include hackers and denial of service. Tittsworth also noted that internal risks apply to all advisory firms.

A majority of advisers are small businesses and typically lack the resources or tools that larger firms have to protect against and combat cyber attacks. However, awareness is the first tool for ensuring that advisers are not falling behind, according to Tittsworth.


Threats for small-to-midsize firms may differ from those menacing larger institutions. But they are just as devastating, and one breach can bring down an advisory firm. Mr. Tittsworth spoke on behalf of the adviser community and gave a look at what types of risks are seen for both the traditional and private or institutional adviser.

Account takeovers have grown in frequency, Tittsworth said. A takeover or highjacking of an account or email involves taking someone’s ID and having a firm transfer a client’s money to outside accounts, often outside the United States. For example, a client may have had their identity stolen and the criminal is using the adviser to facilitate a wire transfer out of a client’s brokerage account.

A private or institutional adviser is also susceptible to account or email takeovers. However, for these businesses, Tittsworth highlighted the specific threats of hacking, “hacktivism” and denial of service. Hacking would be the intrusion of the system by an outside party, and hacktivism would be the same but with political undertones. Denial of service is an attack that would limit or interrupt an authorized user’s access to a computer network.

Lastly, internal risks, which can affect any type of adviser and are often hard to manage. The internal risk involves a deliberate attack from an employee or person personally involved in the firm — a rogue employee. For example, a disgruntled employee may leave one firm and take certain client personal information and use it at a new firm.

Internal risk also could take the form of inadvertent actions such as losing a laptop or smartphone, which in turn would pave the way to an attack or breach.

The Financial Industry Regulatory Authority has been conducting sweep exams of its registrants to get a better understanding of the risks. Their initial results mirrored many of the investment adviser risks, but also included phishing attacks both on the firms’ systems and employees and malware attacks.

Next step

The SEC has yet to provide guidance for advisers. A majority of panelists urged principles-based versus rigid requirements from the agency. Until more guidance appears, an adviser can prepare with some of the resources that are now available. They include:

  • In recent months the SEC has mentioned upcoming examinations will cover adviser cybersecurity. Presumably it could take the form of separate examinations or additional questions or modules in routine exams. There have been unconfirmed reports that the cyber security module is now in use. In the meantime, one can make educated speculations of what it will contain.

    The module will likely question the adviser’s policies and procedures for identifying risks, responding to identity theft and the handling of business continuity in the case of a cyber attack. The SEC will also inquire about the level and impact of prior attacks.

    It’s also safe to assume the SEC will question the advisory firm’s policies and practices when it comes to the protection of the firm’s network, specifically how threats are determined and detected. The topics of IT and employee training, customer transfers/wires, vendor access and vendor due diligence will also be covered.

  • A review of the recent “red flags rule”is prudent. The rule only applies to financial institutions and creditors that offer or maintain covered accounts, which may apply to some advisers. But the core requirements of the red flags rule, are definitely in line with a traditional adviser’s number one cyber threat, account takeovers. Account takeovers are directly related to identity theft.

    The SEC adopted seven guidelines to assist financial institutions and creditors in the formulation and maintenance of a program that satisfies the requirements of the identity theft red flags rule.

  • The Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST) provides guidelines on how to build cybersecurity infrastructure.
  • As mentioned during the roundtable, many of the larger firms use the Financial Services Information Sharing and Analysis Center or FS-ISAC to share information concerning physical and cyber threats and vulnerabilities. It is a subscription-based platform. A review of their website, indicates it may have affordable options for small to midsize firms.
  • A member of the panel mentioned that a firm can review the proposed amendment to Regulation S-P proposed amendment to Regulation S-P as a source for practical application.

The recent regulatory activity concerning cybersecurity and the fact that many of the SEC commissioners stayed for the entire roundtable suggest that the topic will receive a strong focus in the coming months, so it’s best to prepare now.

(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/