The U.S. Securities and Exchange Commission is embarking on a program to examine the preparedness of the financial industry for cyber security threats.

The SEC will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cyber security, according to a risk alert issued on April 15.

“The SEC put together a document that outlines best practices a hedge fund must have from the standpoint of cyber security,” said Grigoriy Milis, chief technology officer at Richard Fleischman and Associates. “It outlines the variety of measures that any company should take to protect themselves from cyber security issues. I see the document as providing guidelines for hedge funds in terms of what procedures they need to take to protect client information.”

The SEC notes that the guidance is not a rule, regulation, or statement of the Commission, “so I don’t think anyone will be exposed to any penalties, but everybody will be expected to follow the guidelines outlined in this document,” Milis said.

Most important are sections that deal with security policies that need to be created. “Many hedge funds already take a number of steps to protect their networks against intrusions,” Milis said. “They went to great length in terms of procedures and policies that companies need to create. This is something that many firms overlook, but it is a very important component of any cyber security defense.”

On March 26, 2014, the SEC sponsored a Cyber Security Roundtable, where chair Mary Jo White underscored the importance of this area to the integrity of the market system and customer data protection. White also emphasized the “compelling need for stronger partnerships between the government and private sector” to address cyber threats. Commissioner Aguilar emphasized the importance for the Commission to gather information and “consider what additional steps the Commission should take to address cyber-threats.”

The SEC examinations will focus on each entity’s cyber security governance, identification and assessment of cyber security risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cyber security threats.

According to the latest IBM X-Force Threat Intelligence Quarterly report, financial markets are the third-most targeted industry for cyber-attacks, accounting for 12% of cyber-attacks.

An analysis of X-Force threat intelligence data during the month of December 2013 reveals that out of a survey of more than one million banking and enterprise customers, the most targeted applications were Oracle Java, Adobe Reader and popular browsers.

Java is a widely deployed high-risk application that exposes organizations to advanced attacks. The number of Java vulnerabilities has continued to rise over the years. The number of reported Java vulnerabilities jumped significantly between 2012 and 2013, more than tripling, according to IBM.

“It’s not surprising that these are the most targeted user applications,” said the IBM report. “After all, these are all applications found on most user endpoints; they all have vulnerabilities that can be exploited to deliver malware to users’ machines; and all of these applications can receive and process external content.”

This means that attackers can create “weaponized” content: files or documents that contain exploits that take advantage of vulnerabilities in the application. Attackers use spear-phishing messages to draw users to websites that contain hidden malicious Java applets (exploit sites).

Featured image via iStock