800-646-0700         LOG IN        CONTACT US        FREE TRIAL
Cloud Technology Blog for RIAs and Broker-Dealers

Even the SEC must continually enhance its level of cybersecurity

8/9/17 12:43 PM / by Justin Kapahi

Businesswoman holding tablet pc entering password. Security concept.jpeg

It’s no secret that cyber-attacks continue to become more sophisticated, and expansive. This past June, an international cyber-attack that first hit computer systems in Ukraine quickly spread to the U.S., Denmark, Australia, and other countries. That attack occurred only a month after the WannaCry cyber-attack caused panic around the world.

The rising global threat posed by cyber-criminals has led U.S. government regulators to institute cybersecurity rules to encourage diligent security practices that can ensure financial institutions protect sensitive consumer data. Regulators in individual states like Colorado and New York have also instituted cybersecurity requirements for financial institutions.

However, the cyber threat is expanding and evolving to such an extent that even regulators themselves have struggled to keep up. The Government Accountability Office (GAO) recently issued a report stating that the Securities and Exchange Commission (SEC) must do more to protect its computer networks from cyber-attacks. A Reuters article summarized the report’s findings:

The 27-page report by the Government Accountability Office found the Securities and Exchange Commission did not always fully encrypt sensitive information, used unsupported software, failed to fully implement an intrusion detection system and made missteps in how it configured its firewalls, among other things.

“Information security control deficiencies in the SEC computing environment may jeopardize the confidentiality, integrity, and availability of information residing in and processed by its systems,” the GAO said.

“Until SEC mitigates its control deficiencies, its financial and support systems and the information they contain will continue to be at unnecessary risk of compromise.”

The SEC, as Wall Street’s top regulator, houses a tremendous amount of sensitive and confidential information that it must closely safeguard to protect against identity theft or efforts by cyber criminals who might want to use the information for insider-trading or harming U.S. equity markets.

The GAO report did give credit to the SEC for making improvements, saying that since September 2016, the agency had resolved 47 of 58 different recommendations previously made by the watchdog office.

However, the GAO noted that 11 recommendations to protect against cyber intrusions remain outstanding, and another 15 new control deficiencies were identified in the GAO’s latest review.

Among some of its new recommendations include maintaining up-to-date network diagrams and performing continuous monitoring on its operating systems, databases and network devices.

The upshot of this blog post is not to criticize or shame the SEC. To its credit, the agency’s chief information officer, Pamela Dyson, wrote in a July 14 letter that the regulator agrees with the GAO’s recommendations, and has either fixed or plans to fix all security deficiencies pointed out by the GAO. We only want to underscore for wealth management firms and other financial services companies that even the most powerful regulators sometimes struggle to stay one step ahead of cyber-criminals. That gives you an idea of just how big the problem of cybercrime has become.

Most financial services firms don’t have to store even a tiny fraction of the data and documents in the SEC’s library, but nevertheless find it stressful, expensive, and/or time-consuming to implement, update, and monitor cybersecurity solutions on their own. This is only natural, since financial services professionals possess extensive expertise about finance—not IT. Furthermore, small wealth management practices with only a few employees don’t have the resources to hire internal IT teams to ensure their cybersecurity software and processes adequately protect data and comply with regulations.

This is why outsourcing IT, including cybersecurity, to a third-party technology provider with a team of experts in both IT and financial services, and a proven track record of safeguarding data and remaining compliant with regulations as they change, can be very beneficial over the long term. Our own workplace wealth_ solution enables our team of experts at External IT to assume responsibility for managing, maintaining, and securing a financial services organization’s entire IT infrastructure across all of its approved devices.

And with cybercrime such a huge problem, particularly for financial firms, we are constantly making security improvements. By streamlining a wealth management firm’s IT, apps, and data into one secure, cloud-based digital hub, we can seamlessly roll out these cybersecurity updates as new cyber-threats (and regulations) come down the pike—taking the worry away from financial advisors and other financial services professionals, and allowing them to spend more time on their core competencies and clients.

And it isn’t just financial services companies that can benefit from an IT arrangement with a third-party expert—the regulators that monitor these firms can also improve their cybersecurity by working with a private IT vendor that boasts a solid track record of securing and optimizing wealth management businesses.

Topics: Cybersecurity, Cloud Computing, Software-as-a-Service, Breakaways

Justin Kapahi

Written by Justin Kapahi

Justin Kapahi is VP, Solutions & Security for External IT. He has over 15 years of experience in technology & finance and is the former CTO of Fairholme Capital Management.