The threat of cybersecurity breaches is the biggest risk the broker-dealer industry faces, according to top Sifma executives.

“Nothing can strike at the heart of financial stability more than a broad-scale, broad-based cyberattack,” Sifma chairman Joseph Sweeney said last month at the Sifma Annual Meeting in Washington, D.C. when asked about the biggest threat to the industry.

“So, it’s really incumbent upon us as an industry to continue to push for cyberdefenses, cyber resiliency and recovery in the event of a cyberattack,” added Sweeney, who is also the president of the Advice & Wealth Management Products and Service Delivery organization of Ameriprise Financial.

Sweeney noted that “a significant amount” of time, energy and resources has been dedicated to cybersecurity, “but it’s important for us to continue to leverage that investment and work collaboratively in concert with organizations around the world to ensure that we’re doing the best job we possibly can because it is here to stay.”

James Allen, the recent chairman of Sifma and chairman emeritus of the group for 2020, said cybersecurity is the “one thing that keeps me awake at night.”

Allen noted that cybersecurity shouldn’t be the job of the technology department exclusively.

“It’s all our responsibility and we have to be vigilant,” he said.

Allen was previously the chairman and CEO of broker-dealer firm Hilliard Lyons, now a part of Baird, where he is the vice chairman.

Just as banks “in the old days” protected themselves against bank robbers, broker-dealer firms should be employing virtual protections, according to Allen.

“In the modern day — right now — we need to be fortifying our systems and our technology,” he said. “It’s everyone’s responsibility.”

Allen noted that employees go through cybersecurity training at Hilliard Lyons.

“They test us on phishing and things like that,” he said. “We need to be hypersensitive about that.”

Both Sweeney and Allen said the so-called Quantum Dawn V is an example of the kind of work and cooperation that must go into fighting and preventing cybersecurity threats.

Quantum Dawn V

Quantum Dawn V — a global exercise that took place last month — enabled key public and private bodies around the globe to practice coordination and exercise incident response protocols, both internally and externally, to maintain smooth functioning of the financial markets when faced with a series of sector-wide global cyberattacks, according to Sifma.

The exercise helped identify the roles and responsibilities of key participants in managing global crises with cross-border impacts. The exercise scenario emphasized cross-jurisdiction communication and coordination between member firms and regulatory agencies in North America, Europe, and Asia, Sifma adds.

“It is great to see the Quantum Dawn V broadening to a global issue. We need global cooperation on that front,” Sweney said, noting that 180 firms participated in the exercise.

Jay Clayton

Defend and recover

When asked about cybersecurity at the conference, SEC Chairman Jay Clayton said he has three ways of looking at it: the SEC’s own preparedness; in terms of disclosure mandates; and market infrastructure.

“We — like any organization — have challenges to deal with,” Clayton said.

“We are approaching this in a fairly rigorous way, which is reducing the attractiveness of the SEC as a target, increasing defenses, continuing to assess those [threats], and resiliency — trying to ensure that in the event that we do have a problem, we can recover,” he added.

In terms of the SEC’s disclosure mandate, Clayton said he believes registered firms “are doing a better job of informing the public about this risk and about the potential impact on their investments as a result of a cyber incident, whether it’s issue-specific or more systemic.”

When it comes to market infrastructure, Clayton said his thoughts turn to potential risks and asked these questions: “What’s the recovery protocol? Do we have sufficient resources to deal with it? Does everybody have the same consultant?”

Clayton believes cybersecurity may be one area where it would be better to over-prepare.

“We are so data dependent,” he said. “In our industry, it’s almost like a question of how you can always be doing something more.”