Financial advisors and firms have improved their cybersecurity measures since a 2014 assessment, but more still are needed, according to a recent report by the U.S. Securities and Exchange Commission (SEC).
Ironically, the commission’s own watchdog says the same thing about the SEC.
Let’s start first with what the SEC reports, which is geared toward advisors, broker-dealers and funds but certainly is applicable to accountants and tax preparers. The IRS also continues to monitor cybersecurity and issue warnings.
SEC examiners looked at 75 firms and noted a general improvement in awareness of cyber risks and the implementation of security practices. And just about all of them had written cybersecurity policies and procedures to protect client records and information.
This examination focused more on cybersecurity preparedness by targeting risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.
The SEC’s findings include the following:
- Nearly everyone at the 75 firms uses periodic risk assessments of systems considered critical to cyber threats.
- Less than half of advisors and funds did vulnerability and penetration tests on critical systems, and some firms didn’t completely fix some of the high-risk situations that the tests revealed.
- All the firms use a system or tool to prevent, detect and monitor data loss of personally identifiable information.
- Almost all of the firms use a process to ensure system maintenance, including the installation of software patches that address security lapses. Some firms, though, had not yet installed critical security updates.
- Information protection programs usually include pertinent cyber topics.
On the other hand, a report by the U.S. Government Accountability Office (GAO) — the SEC’s watchdog — says that the commission improved its control over financial systems but needs to take more action.
“Information security control deficiencies in the SEC computing environment may jeopardize the confidentiality, integrity, and availability of information residing in and processed by its systems,” the GAO said. “Until SEC mitigates its control deficiencies, its financial and support systems and the information they contain will continue to be at unnecessary risk of compromise.”
The SEC had resolved 47 of the 58 recommendations the GAO made previously that hadn’t been put in place by the fiscal year 2015 examination. But the commission hadn’t completely implemented 11 recommendations, including the consistent protection of network boundaries from intrusions, authenticating users, access authorization, auditing network actions, and encrypting information while it’s being transmitted.
The GAO also identified 15 new deficiencies that limit the SEC’s ability to protect its information systems. Although they don’t represent a material weakness or serious deficiency, they warrant management attention, wrote Gregory Wilshusen, GAO’s Director of Information Security Issues, and Nabajyoti Barkakati, Director of the Center for Technology and Engineering, to SEC Chairman Jay Clayton.
They recommended that Clayton maintain updated network diagrams and asset inventories in the system security plans and a key financial system to accurately reflect the current operating environment; and continuously monitor automated configuration and vulnerability scanning on operating systems, databases and network devices.
In a separate limited official-use only report, the GAO executives also made 13 recommendations, including those regarding access, configuration management and separation of duties.
According to the GAO report, the SEC agreed with the recommendations.
About Terry Sheridan
Terry Sheridan is an award-winning journalist who has covered real estate, mortgage finance, health care, insurance, personal finance, and accounting and taxation issues for newspapers, magazines, and websites. A Chicago native and former South Florida resident, she now lives in New England.