SEC Advises Brokers, Investors on Risks of Hacking and Other “Cyber” Attacks

“Cybersecurity” is a major issue that affects many large, publicly traded companies. Recently Anthem, Inc., the nation’s second-largest health insurer, reported a major breach of its security. Hackers managed to acquire personal data—Social Security numbers, telephone numbers, addresses, et cetera—on millions of Anthem customers. This attack comes just a couple weeks after President Obama announced his support for new legislation that would require companies “to inform consumers of a data breach within 30 days of discovery.”

For its part, the Securities and Exchange Commission recently issued a pair of cybersecurity-related documents to investors and companies. In a “Risk Alert” published by the SEC’s Office of Compliance Inspections and Examinations (OCIE), the agency discussed its survey of over 100 registered brokers and investment advisers regarding their own cybersecurity policies. Most of those surveyed said they had “written information security policies,” and conducted “periodic audits” to ensure compliance.

But just having written policies are not enough. OCIE noted less than a third of brokers surveyed—and only about 1 out of 10 investment advisers—had procedures in place “to determine whether they are responsible for client losses associated with cyber incidents.” And in fact, most of the firms surveyed said they had suffered cyber-attacks, either directly or through an affiliated vendor.

OCIE identified “malware and fraudulent emails” as the most common form of cyber-attack. About half of those surveyed said they had received false emails from individuals purporting to be clients. Brokers reported losses of upwards of $75,000, requiring restitution to affected clients. Several firms claimed these losses were the result of employees not following existing written cyber-security policies.

Protecting Yourself from Cyber Attacks

Cybersecurity is not just a broker responsibility, however. In a second publication, the SEC’s Office of Investor Education and Advocacy advised investors to take better care in protecting their online brokerage accounts. Many of the SEC’s tips are common sense but nonetheless bear repeating in light of ongoing cybersecurity threats.

First and foremost, the SEC said anyone with an online brokerage account should use a “strong” password that is changed on a regular basis. The SEC said a good password has “eight or more characters that include symbols, numbers, and both capital and lowercase letters.” Investors should also avoid using the same password for different brokerage accounts. Ideally, investors should also take advantage of “two-step verification,” a common cybersecurity mechanism now employed by many brokerages. A two-step process includes not just a password, but also requires an additional code sent to an investor’s email account or smartphone.

Other SEC cybersecurity tips include exercising caution when accessing your account over a wi-fi connection, especially those in public places like airports or coffee shops; avoiding the use of any public computers, such as those at libraries, to access your account; and regularly checking your brokerage statements to ensure nobody has made any unauthorized or suspicious transaction.

Of course, even the most cybersecurity-conscious investor may still fall prey to a data breach. If you have been the victim of a cyber-attack and need advice on your legal rights, contact Florida securities fraud attorney Gregory Tendrich, P.A., right away.