Some brokerages aren't doing enough to protect themselves from cyberattacks while other firms don't share information that could reduce future threats, according to U.S. securities regulators.
The Financial Industry Regulatory Authority said its examiners found wide variation in the way brokers defend against the risk of hackers. While large brokers have sophisticated systems for monitoring threats and sharing information, some smaller firms haven't taken basic steps such as assessing their vulnerabilities, Finra said in a report released Tuesday.
Finra's findings follow hacks on large banks such as JPMorgan Chase & Co. that led to the theft of customer data and a breach of web-based systems operated by the Federal Reserve. Brokerages could bolster their defenses by tightening relationships with vendors and improving employee training, the report said.
"Finra expects firms to consider the principles and effective practices presented in this report as they develop or enhance their cybersecurity programs," the regulator, which is funded by the brokerage industry, wrote in its report. "Finra will assess the adequacy of firms' cybersecurity programs in light of the risks they face."
Hacks Not Reported
The U.S. Securities and Exchange Commission released a separate report today that found 88 percent of brokerages and 74 percent of money-management firms have been victims of cyberattacks directly or through a vendor. The SEC findings were based on a survey of 57 brokerages and 49 investment advisers to find out how financial firms prepare for hacking threats.
The SEC's report said many brokers and money managers lack policies that address whether they will reimburse clients for losses. Firms also don't typically tell regulators or law enforcement about network breaches, as just 11 percent of brokers and 4 percent of investment advisers reported incidents in which employees misappropriated client funds, securities or customer data.
"Today's risk alert makes clear that cybersecurity is a persistent and growing threat and that firms must take their cybersecurity duties seriously," SEC Commissioner Luis Aguilar said in a statement. "If they do not, they jeopardize themselves and threaten the financial safety of the millions of Americans who have put their trust in them."
Finra's examinations focused on about 20 broker-dealers, including large investment banks, online brokers and high- frequency traders. Neither Finra nor the SEC said whether firms would face penalties for deficiencies found by regulators.
Finra said threats varied depending on the type of business a broker conducts. Firms that rely on algorithms to trade worried about their own employees stealing proprietary information, while large banks said "risks from nation states or hacktivist groups" posed the biggest threat.
Finra's examiners found some brokers don't share information about risks because they worry "a firm might be subject to regulatory scrutiny." The regulator urged brokers to ensure they have a cybersecurity program to train all employees.