About three-quarters of money managers and other registered investment advisers, and almost 90% of broker-dealers surveyed by the SEC said they've been the subject of a cyber-related incident directly or through their external providers.
Most of the incidents were related to malware and fraudulent e-mails, according to an examination of 49 institutional and retail money managers and other RIAs, and 57 broker-dealers. Among the money managers examined, 12.2% had institutional clients and 4.1% had pension fund clients; among broker-dealers, 7% had institutional clients.
Forty-three percent of managers and 54% of broker-dealers reported receiving fraudulent e-mails seeking to transfer client funds. One investment adviser reported a loss in excess of $75,000 related to a fraudulent e-mail, for which the client was reimbursed. That loss was because the firm's employees did not follow established identity authentication procedures.
The Securities and Exchange Commission examination also showed:
- Eighty-three percent of money managers and other RIAs and 93% of broker-dealers had written information security policies, but only 13% of managers and 30% of broker-dealers have provisions to determine their responsibility for cyberattacks.
- Seventy-nine percent of managers and other RIAs and 93% of broker-dealers conduct periodic risk assessments to identify cybersecurity threats and potential business consequences, but while 84% of broker-dealers apply those assessment requirements to their outside vendors, only 32% of managers and other RIAs require such assessments for external providers with access to their networks.
- Twenty-four percent of money managers and other RIAs incorporate cybersecurity requirements into their contracts with external service providers, while 72% of broker-dealers have such requirements in vendor contracts.
The examination report is available on the SEC's website.