SEC warns of third party cybersecurity risks

Panellists at the US Securities and Exchange Commission Compliance Outreach Program flagged third party vendors as a crack in any firms’ cyber security shield.

Third-party vendors are a main cybersecurity weakness for firms, according to the US Securities and Exchange Commission (SEC). 

Before using a third party vendor, firms should conduct significant amounts of due diligence on the vendor, warned Steven Levine, associate regional director, National Exam Program, Chicago Regional Office at the SEC at a compliance outreach event.

RT Jones is an example of the risks. The firm, a provider of investment advice for retirement plan participants, was a victim of a cyber-attack. The firm used a third-party hosted server containing client information for four years and failed to report it to the SEC, for which it was fined $75,000 in September 2015.

It was as if RT Jones said, “the wallet is open, come take the money,” said Adam Aderton, assistant director, Division of Enforcement,  Asset Management Unit at the SEC.

Aderton added that cybersecurity policies need to be realistic, detailed, and most importantly up-to-date with current technology so that they are as relevant as possible, in order to account for future cybersecurity risk. 

Wendy Fox, vice president and chief compliance officer (CCO) of mutual fund, Ariel Investments, said that private equity firms need to conduct due diligence checklists. 

Fox noted “cybersecurity policies can vary from shop to shop”. Firms should also identify someone who is responsible for cybersecurity and conduct risk tests and cyber incident tests, she said.

Among other risks, Levine highlighted the need for data loss prevention on a firm's computer systems, noting that a thumb drive plugged into a computer can steal information in only seconds. 

Personal emails containing malware can infect a firm's computer system and employers should be aware of the risk of allowing employees to check their personal emails on a company hosted network, Levine warned. 

He added that employees at firms are usually bad at following the guidelines for the transferring of funds and that they should look more closely at how firms monitor data transfer. Due diligence practices should also be conducted during training, he said. 

Panellists have voiced that cybersecurity is a serious issue that requires detailed measures to be taken, being prepared, having the most relevant and technology conscious policies in place will help a firm to avoid cybersecurity breaches. It will also help a firm during post mortem in the event of a breech.