Skip navigation
Cyber Sweep: A Quarter of B/Ds Breached in Email Attacks

Cyber Sweep: A Quarter of B/Ds Breached in Email Attacks

Regulators' cybersecurity sweeps find that firms are suffering breaches, but prevention methods and insurance are widely adopted.

A quarter of broker/dealers have suffered losses of more than $5,000 after receiving fraudulent emails seeking to transfer client funds, according to the Securities and Exchange Commission.

On Tuesday, the SEC and the Financial Industry Regulatory Authority released reports on information gathered from their cybersecurity sweeps conducted in 2014. The SEC’s sweeps encompassed 57 broker/dealers and 49 registered investment advisors, while FINRA’s data was gathered from 224 b/ds.

Click to Enlarge

Other key findings include:

  • Fifty-four percent of b/ds and 43 percent of RIAs say they’ve received phishing and fraudulent emails seeking to transfer client funds.
  • Only one RIA (out of the 49 surveyed) reported a loss related to an email scheme. But that attack cost the advisor more than $75,000 in losses.
Click to Enlarge

In both surveys, b/ds said employees could be the weak link.   

  • A quarter of those firms that had suffered losses reported the breach was the result of employees failing to follow identity authentication measures.
  • About 95 percent of b/ds said they mandated training for staff, according to FINRA’s sweep.
  • Only a small portion of firms reported employee intentional misconduct—11 percent of b/ds and 4 percent of advisors.
Click to Enlarge

When it comes to protecting against breaches 

Most b/ds have written information security policies, but these policies generally don’t address how to determine who is responsible for client losses around cyber attacks.

  • Ninety-three percent of b/ds had written information security policies, versus 83 percent of advisors had one.
  • Only 15 percent of b/ds and 9 percent of RIAs offered security guarantees to protect their clients in a cyber-related losses.
  • Eighty percent of firms had established cybersecurity risk assessment programs, FINRA said.

The regulators may have only asked about cybersecurity measures in these most recent sweeps, but regulation and enforcement could be on the way. Yet many advisors may not have the resources in-house to meet regulators’ expectations. And securing their systems is going to require outside help and a hefty investment.

“It’s just way too much for a typical advisor to handle,” Donald J. Kalil, president of Wilmington, Del.-based Affinity Wealth Management, told in August after receiving the SEC's information request.

“The typical IA is going to have one or two IT people, and that questionnaire is essentially one that even a giant b/d conglomerate would have trouble relating to," John Reed Stark, managing director at cyber security firm Stroz Friedberg and former Internet enforcement at the SEC, said at the time. Stark doesn’t believe it’s simply a request for information to get an idea for what advisors are doing. SEC staff members told Stark that the preliminary results of the sweep were poor, in his recent conversations with them.

“They’re not just going to sit on a bunch of poor responses and say, ‘OK, isn’t that interesting?’” Stark said. “They’re either going to bring enforcement cases, or they’re going to do rulemaking. And I don’t see how you can do rulemaking in this space because technology is ever-changing.”


-Additional reporting by Diana Britton.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.