Three-quarters of US investment advisors and nearly nine-tenths of broker-dealers could have been hit by cyber-attacks, according to a survey by the US regulator.

The US Securities and Exchange Commission recently visited ('examined') 57 registered broker-dealers and 49 registered investment advisors to gain a better understanding of how they cope with the legal, regulatory and compliance problems associated with cybersecurity. A majority of the broker-dealers (88%) and the advisors (74%) stated that they had experienced cyber-attacks directly or through one or more of their vendors.  The majority of the cyber-related incidents were related to malware and fraudulent emails.

The highlights of the findings were as follows.

• One-quarter of the broker-dealers that had losses related to fraudulent emails noted that these losses were the result of employees not following the firms’ identity authentication procedures.  The one adviser that reported a loss also noted that its employees had deviated from its identity authentication procedures.
• Almost two-thirds of the broker-dealers that received fraudulent emails reported them to the Financial Crimes Enforcement Network (FinCEN) by sending off suspicious activity reports (SARs), but only 7% of them reported them to other police-type bodies or other regulators. Quite why the SEC expected them to do so remains a mystery.
• Only 11% of the broker-dealers and 4% of the advisors reported skulduggery on the part of employees.
• The vast majority of the broker-dealers (93%) and advisers (83%) in the survey have written information security policies in place.  Most of the broker-dealers (89%) and the majority of the advisers (57%) audit these periodically.
• More than half the broker-dealers and just under half the advisors reported receiving fraudulent emails seeking to transfer client funds. More than a quarter of those broker-dealers reported losses related to fraudulent emails of more than $5,000, but no single loss exceeded $75,000.

In the meantime, the regulator is planning to increase its cyber-security reviews of hedge funds and investment advisors by introducing 'examinations' and independent testing on the subject, according to the US compliance press.