FINRA Sees ‘Proliferation' of Complaints About Cybersecurity Breaches, Official Says

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Maria Lokshin  


The Financial Industry Regulatory Authority has seen a “proliferation” of complaints about cybersecurity breaches at broker-dealer firms, a FINRA official said June 17 at an event hosted by the Insured Retirement Institute in Washington.

“It's a pretty big issue for us,” said Daniel Sibears, FINRA executive vice president for member regulation. “There are many dozens of complaints where there's been [a] compromise of customer information, particularly information that is needed to get into online accounts and to execute transactions and move money.”

Typical Breach

According to Sibears, the typical scenario of a breach involves individuals who hack into the private email accounts of FINRA members' customers, gaining access to the clients' correspondence with the firms. Posing as the customer, Sibears said, the hackers then tell the firm there has been an emergency and seek to move thousands of dollars worth of cash or securities.

Because everything looks legitimate from the firm's perspective, the company wires out the money into an account that the customer had never used, he said. The result, Sibears said, has been a “fair amount of harm” to the firm's customers.

“I think the good news is that firms are generally making customers 100 percent whole … but it's an issue for firms to be focused on,” Sibears added.

FINRA, he said, has sent out letters to firms in an effort “to get our arms around what's happening in this space.” From a compliance standpoint, Sibears explained, the firms wire the money to the hackers either because the customer validation procedures are inadequate or because the firm employees are in a hurry to assist the client.

Not a High Priority for SEC?

According to Willie Davis, examination manager at the Securities and Exchange Commission Chicago office, cybersecurity issues have not been a high priority for SEC exams so far.

“From the examination program perspective, [I] can't say it's been a high priority yet, but we definitely understand that the issue's out there,” said Davis, who spoke alongside Sibears. “I think it will probably … be a focus area for the upcoming year.”

Davis advised that firms should keep cybersecurity on their “radar.” The SEC official said he spoke his about own views, which did not necessarily reflect those of the commission or staff.

For state regulators, cybersecurity issues are a top area of focus. According to Bruce Ramge, director of the Nebraska Department of Insurance, cybersecurity is currently the No. 1 risk management issue.

“The costs associated with a breach are tremendous,” said Ramge, who also spoke on the panel.

Request Bloomberg Law: Privacy & Data Security