Brokerage Firms Most Worried About Hackers and Rogue Employees, Finra Report Says
By MATTHEW GOLDSTEIN
FEBRUARY 3, 2015 11:54 AM February 3, 2015 11:54 am
The destructive cyber attack on Sony Pictures Entertainment last fall that federal authorities linked to the North Korean government raised alarm bells about the hacking threat posed by foreign governments. But brokerage firms based in the United States remain most concerned about an attack carried out by a loose band of hackers or employees with a grudge.
A report released on Tuesday by the Financial Industry Regulatory Authority, the industry’s self-regulatory organization, said a survey of about 20 brokerage firms found the threat of an online attack by nation or a terrorist group ranked near the bottom of the industry’s concerns.
Concerns about state-sponsored attacks were highest at big investment banks. But few of the largest firms surveyed by Finra put such attacks at the top of their list.
All the firms said they had little concerned about a hack carried out by a competitor.
The results of the survey were included in a Finra report that focused on best practices that brokerage firms should enact to prevent serious attacks that can compromise customer personal and financial information. The organization conducted the survey last year to gain a better understanding of what brokerage firms, both large and small, are doing to guard against a serious attack.
In another sign of just how important the threat of an attack has become for the financial services industry, the Securities and Exchange Commission issued its own report on Tuesday that examined how prepared Wall Street investment banks and brokerage firms are to repel hackers bent on accessing their digital networks. The S.E.C. examination of more than 100 registered firms found that the overwhelming majority of them “have been the subject of cyber-related incident.”
The most common attacks involved hackers introducing malware into a firm’s network or the use of fraudulent emails to seeking to persuade brokers to improperly transfer a client’s money.
The Finra report recommended that all brokerage firms assess their security as well as review the safeguards put in place by the vendors they employed. These reviews should focus on things like data encryption, the number of employees who have access to a network, the frequency of software patches and updates, the security of data storage facilities and measures taken to secure wireless and mobile systems.
The report said about 80 percent of firms surveyed already conduct some form of periodic security self-assessment. But the regulatory agency said it was “concerned that the remaining firms either had no program in place or were in the nascent stages of establishing a program.”
The report does not identify the firms that Finra surveyed. From time to time, the group conducts so-called sweep investigations of surveys of a select group of brokerage firms that are supposed to represent a cross-section of the large and small firms the regulatory agency oversees.
“Firms must make responding to these threats a high priority,” Susan F. Axelrod, Finra’s executive vice president for regulatory operations, said in a prepared statement.
Finra also recommended that brokerage firms institute strict measures to restrict who at a firm can get access to sensitive “systems and data.” The report also recommended that firm’s put in place a plan for quickly terminating employees’ and vendors’ ability to access a particular system when it was no longer relevant to their particular job.
Better safeguards about employee and vendor access to a firm’s network is one way to prevent a hack being conducted by a company insider.
The report also highlights the need for financial services firms to better coordinate their efforts and share information about potential threats and attacks. Finra is echoing a point increasingly made by federal authorities about the need for companies to work more closely with government authorities and each other to thwart increasingly sophisticated hacks.
“Finra believes that the security industry can be more effective in advancing cybersecurity for the community as a whole when it engage in collaborative self-defense,” the report said. “To that end, Finra urges firms to revisit their hesitancy to participate in information sharing bodies.”