Scottrade Breach: Gut Check for Advisors

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.financial-planning.com/news/industry/scottrade-breach-gut-check-for-advisors-2694356-1.html

Scottrade's data breach underscores the importance for wealth managers to
make sure that they are strengthening their cyber defenses, experts say,
particularly as it has become a key area of focus for regulators.

"Anyone within SEC purview is under increasing pressure to up their game
when it comes to cyber awareness and protection, including wealth managers,
whether online or offline," said Craig A. Newman, chairman of the privacy
and data security practice at New York law firm Patterson Belknap Webb &
Tyler.

Suggestions that this incident could hurt the appeal of digital advice
platforms are misinformed, says Joel Bruckenstein, a Financial Planning
columnist and co-creator of the Technology Tools for Today conference
series and technology guides for advisors.

"Where's your money? Schwab? Fidelity? All have online access. What I've
been telling advisors is your stuff is in the cloud already, get over it.
Vanguard is a digital provider, Fidelity is a digital provider, Citibank is
a digital provider -- tell me who's not a digital provider?"

Scottrade spokeswoman Whitney Ellis said federal authorities informed the
online brokerage that hackers accessed its network sometime between late
2013 and early 2014, and targeted client names and street addresses from a
database of 4.6 million clients.

"Although Social Security numbers, email addresses and other sensitive data
were contained in the system accessed, it appears that contact information
was the focus of the incident," Ellis said.

"We have no reason to believe that Scottrade’s trading platforms or any
client funds were compromised. Client passwords remained fully encrypted at
all times and we have not seen any indication of fraudulent activity as a
result of this incident."

Newman says that how Scottrade handles the incident now will determine the
extent of the reputational damage to its brand and customer retention.

"When people invest their capital, they're looking for trustworthy
stalwarts of their capital, and cyber security protection is one of the
things that should be on that checklist," he says. "There are plenty of
examples where hackers have gotten into different asset managers, and
within minutes drained tens of millions before they were detected. I would
not want to be one of those asset managers."

Newman says it would be "naïve" to assume Scottrade or any digital
investment platform was more vulnerable to cyber-attacks because they exist
online. "Traditional wealth advisors have been hacked, it's just that many
are just not under regulatory or legal obligation to make public
disclosure."

NEW EXAMS
Newman noted that just two weeks ago, the SEC put brokers and advisors on
notice that cybersecurity remains a top priority, and the subject of an
ongoing series of targeted exams.

The commission is planning to launch a second wave of exams looking at how
firms are protecting their IT systems and safeguarding clients' sensitive
information, the SEC's Office of Compliance Inspections and Examinations
said in a recent risk alert.

Through the next phase of exams, the SEC intends to evaluate how firms are
handling issues such as governance and risk assessment, access privileges
and data protection, as well as how they are training their employees and
what plans they have in place to respond in the event that they are the
target of a hack. Among other areas of concern, OCIE indicates that
examiners will look to see whether firms are periodically reassessing their
security policies, whether company leaders or directors are involved in
cybersecurity, and how firms are monitoring the flow of information beyond
the firewall. These exams will build on the insights gleaned from the
initial review, through which examiners visited more than 100 advisor and
broker-dealer practices.

"The office is conducting a second round of cybersecurity examinations to
make sure firms are properly implementing the formalized procedures and
controls they should already have in place," says Justin Kapahi, technical
director of the financial services practice at External IT, a cloud
computing service provider.

In its risk alert, OCIE notes that some firms continue to struggle with
"weaknesses in basic controls," and offers in its appendix a series of
specific factors that examiners are likely to look at when they conduct a
cybersecurity review, including policies on customer information and patch
management, access controls, and the role of chief information security
officer or an equivalent position.

The risk alert signals the continuing review of a longstanding area of
concern, but the level of specificity that the SEC is applying to the issue
can be read as its strongest statement yet that security is a major
priority, and that no firm is small enough to get a pass.

"Cybersecurity has been a highly visible issue across the country for
several years and has been a priority for the SEC for quite a long time --
this release is significant because it increases the heat," says Andrew
Wels, chief compliance officer at MarketCounsel, an advisor consultancy.

"The alert takes what had been a high level regulatory concern -- the
purview of the White House and big corporations -- and makes it a broader
issue to any regulated entity by telling them they should be already
protecting their data from cybersecurity breaches and this is now on the
OCIE checklist" Wels says. "The things they are asking for in the alert are
doable -- they are not asking for metaphysical safeguards to keep hackers
out, but reasonable measures need to be taken. All regulated entities now
need to do an assessment and make sure there are safeguards for data
systems."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!