By Joseph Borg
October 30, 2017 at 5:00 am ET
Last month we learned that as many as 143 million Americans may have been impacted by the Equifax hack. For some perspective, that’s more people than voted in the 2016 Presidential election. This one institution’s cybersecurity lapse may have jeopardized the finances and personal information of as much as 44 percent of the U.S. population.
Equifax is by no means the only national financial player to have cybersecurity issues in the past year, or even the past month. The Securities and Exchange Commission, the federal regulator of the nation’s securities markets, also recently announced a hack that may have breached high-value information.
New stories of compromised cybersecurity seem to break every day — across sectors and across geographies — as new firms are targeted and individuals victimized. The time has come to state in no uncertain terms that we are in the midst of a cybercrime wave. It poses a serious, persistent threat throughout the financial sector and until it is acknowledged and treated as such we will find little success in stemming the tide.
Unfortunately, amid this cybercrime wave, many organizations are leaving their virtual doors unlocked, or wide open. One of the most shocking revelations of the Equifax hack was that they had a large database protected by an account with a username and password that were the same word: admin.
Of course, to focus solely on Equifax is to miss the forest through the trees — while attention may focus on cyberattacks of nationally recognized institutions, the threat of cybercrime is just as severe for businesses of all sizes.
As the local cops on the securities beat, state securities regulators are on the frontlines of the fight against cybercrime, remaining vigilant of threats both immediate and emerging. As part of that effort, the North American Securities Administrators Association, which represents state and provincial securities regulators in the United States, Canada and Mexico, have been making the rounds and knocking on doors to make sure investment advisers are taking the necessary steps to protect their customers and communities from the devastation of fraud and cyberattacks.
This year, questions regarding cybersecurity measures were included as part of the coordinated examinations of state-registered investment advisers conducted by our members.
So what did we find? Simply put, room for improvement.
Over the course of more than 1,200 examinations of state-registered investment advisers in 37 U.S. jurisdictions, our members uncovered nearly 700 cybersecurity-related deficiencies.
A look at some of the most common deficiencies could just as easily be a list of commonsense steps. The top five deficiencies included firms conducting no testing of cyber vulnerabilities, lacking procedures regarding securing or limiting access to devices, lacking a technology specialist or consultant, lacking procedures regarding hardware and software updates or upgrades and having no or inadequate cybersecurity insurance.
And yes, we found more than a few investment advisers that were putting themselves and their clients at risk through weak or infrequently changed passwords.
In order to help investment advisers improve their efforts, NASAA has unveiled a checklist of best practices. The checklist is designed to help investment advisers identify risks, better protect their systems, detect issues, respond to cyber threats and recover should they face an attack. Of course, there is no guarantee that a firm will be completely safe from a potential cyberattack. However, arming investors and industry professionals with educational resources and tools needed to help safeguard client information is an important part of protecting sensitive personal information.
There has been a lot of attention directed to the issue of hacks and cybercrimes, but unfortunately these events have become so commonplace that people are treating these incidents as the norm. Until the financial services industry, regulators and clients begin to talk about the cybercrime wave as a serious epidemic, one that promises impending catastrophe, we will not see a serious effort from those unmoved by recent events.
Cybercriminals targeting our financial institutions threaten the structure and stability of the entire sector. This country has a track record of resolve and resilience when faced with serious threats of this magnitude. It is time we turned that spirit of response toward the challenge of cybersecurity and end this crime wave.
Joseph Borg is the newly appointed president of the NASAA, a position which he is occupying for the third time, and has also served as the director of the Alabama Securities Commission since 1994.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.