June 5 The most cutting-edge technology cannot
contain one of the biggest cyber hacking threats on Wall Street:
sloppy actions by brokers and other industry employees.
Brokerage firm workers have taped sensitive passwords to
their computer monitors and stored them in binders labeled
"passwords," according to officials from the Financial Industry
Regulatory Authority (FINRA), Wall Street's industry-funded
watchdog.
Some firms give login information to temporary workers and
forget to cut them off after their assignment is complete. At
the regulator's conference in May, examiners traded tales of
brokerage firm behaviors they had found that could lead to
security breaches.
One firm, for example, used the very-guessable "username" as
the username and "password" for the password that gave access to
the company's router, enabling access to the firm's sensitive
data.
The problems are coming to light as major online security
breaches in other industries are making Wall Street jittery and
as financial services industry regulators are focusing on these
issues.
Information security professionals said in an interview that
Wall Street's demand for their expertise has exploded,
especially among small brokerages that do not have safeguards in
place. At the FINRA conference, the cyber-security session was
so packed many professionals sat on the floor
Security breaches could trigger privacy law violations and
trouble with financial regulators, which have noted a spate of
breaches in other sectors and companies, including eBay Inc
, Target Corp, Neiman Marcus Group LLC
and other retailers.
FINRA and the U.S. Securities and Exchange Commission are
looking into measures that brokerages and asset managers have
put in place to safeguard against cyber attacks. On Tuesday, the
top Massachusetts securities regulator announced cyber audits of
state-registered financial advisers.
TRAIN, DON'T COMPLAIN
The heightened focus on cyber security is sparking change at
smaller firms, which often do not have procedures or systems in
place to prevent hacking, said Joseph Rivela, chief strategist
for Breach Intelligence LLC, a Farmington, Connecticut
information security firm. "Many firms are far behind the
curve," Rivela said.
Large brokerages typically have more established procedures
and technology in place to prevent hacking, Rivela said. But
even their employees can be duped. For example, firms have been
facing a rash of incidents in which scam artists pose as
customers and make wire transfer requests. FINRA has disciplined
numerous sales assistants who transferred funds without first
verifying those requests with the actual customers.
Educating employees about scams is a key step, said Rocco
Grillo, who heads a global information security unit at
Protiviti, a division of California-based Robert Half, in an
interview.
Other security threats include "phishing" emails that
purport to be from clients and ask for personal data, as well as
fake wireless hot spots that scam artists set up in public
spaces to invade firms' systems, Grillo said.
Some companies hold employees accountable for information
security breaches by withholding bonuses or even firing them,
Grillo said.
(Reporting by Suzanne Barlyn; Editing by Linda Stern and Steve
Orlofsky)