Earlier this week we presented at a Wells Fargo Prime Services breakfast briefing on cybersecurity. During the discussion, one panelist reminded attendees that the SEC has clearly defined (and communicated) its cybersecurity expectations. He recapped the following six areas advisers must have covered to demonstrate preparedness to regulators.
1. Risk Assessments
4. Access Control
5. Vendor Management
6. Information Sharing
Here’s Eze Castle Integration’s take on these focus areas:
#1 Risk Assessments
The April 2015 SEC Cybersecurity Guidance Update goes deeper into risk assessments expectations. Here are some key cyber risk assessment takeaways:
- Define what confidential data is and determine how it’s protected.
- You must also understand where your data is located, how it is collected and who and what technology systems have access to it.
- Registered investment advisers should have a clear understanding of the threat landscape, including potential internal and external risks as well as unique vulnerabilities specific to the firm. Evaluate a variety of potential scenarios as well as their likelihood to occur.
- Once firms understand the risks facing their organization, they must conduct assessments of the existing controls and processes to ensure they account for the risk landscape and put the appropriate safeguards in place.
- Be sure to understand the potential impacts of various cyber risk scenarios and outline specific protocols for incident response and quick resolution. The impact of cybersecurity incidents can range from financial to technological to reputational.
- Finally, testing and assessing the governance structure, including administrative and technical safeguards, is key to ensuring effectiveness.
Gone are the days of management simply outsourcing responsibility to third-party experts and trusting them blindly. Telling the SEC, “we hired the best security consultant,” won’t cut it. Today management must understand their firm’s security posture and be able to outline the safeguards that are in place to minimize risk. Additionally, management must instill the importance of security preparedness in all employees by making it a top-down priority.
A firm must train employees on handling confidential data and define their responsibilities around cybersecurity. One compromised computer can infect an entire organization, so at least annually, employees should complete security awareness training on a range of topics including:
- Importance of Security Policies: Outline employee responsibilities concerning information security, the incident escalation process and how to protect data from malicious intrusion.
- Cybersecurity Threat Landscape: Define the techniques a hacker may use (i.e. phishing) to access confidential data or systems and how employees can avoid being victims.
- Practicing Internet Safety: Help employees recognize the signs of malicious activity, how it can spread and prevention strategies.
- Email Safety: Identify what makes an email message suspicious, such as a strange subject line or unexpected sender, and how employees should handle it.
- Access Control Responsibilities: Train employees on how access controls and passwords are maintained and expectations for employee behavior in both areas.
- Preventing Identify Theft: Educate employees on how identify theft occurs, including shoulder surfing/eavesdropping and dumpster diving, how to prevent and what to do if they are a victim.
- Physical Security Threats: Focus gravitates towards cyber threats, but firms and their employees must still take physical security precautions including locking workstations/offices and properly storing sensitive documentation.
#4 Access Control
Employees require access to the data necessary to complete their job functions. But beyond that, firms should be limiting what data employees have access to. It’s not about not trusting your employees, but more so about not trusting the technology behind those employees. The less data employees can get to, the less damage can be done via an internal breach or external hack.
The SEC Cybersecurity Risk Alert issued in April 2014 highlights the importance of access control by asking about the controls a firm maintains to “prevent unauthorized escalation of user privileges” and how firms “restrict users to those network resources necessary for their business functions.” Part of a firm’s cybersecurity planning must be defining how company data is protected, where it is located and who has and needs access. Once access levels are defined and implemented, they must be reviewed at least annually (biannually or quarterly is better!) to ensure adherence firm wide.
#5 Vendor Management
Risks are everywhere, particularly in today’s cyber-focused environment. But the risk a hedge fund undertakes when outsourcing a function of its business to a third party is enormous. Not only is the firm relinquishing control to or sharing data with an outside company, it also takes on the added burden of having to assess/monitor the provider’s security posture, in addition to its own.
It’s one thing to put faith in your service providers to do their jobs effectively. It’s another to ignore your own firm’s responsibility to manage that third-party as a means of protecting your own firm. Successfully managing risk associated with third-party service provider relationships is a full-time job, especially for financial services firms working with dozens of various parties.
Here are the CliffsNotes from our Five Steps to Effectively Managing Third Party Provider Risk:
- Understand the breadth/depth of the relationships your firm has established.
- Calculate potential risks and vulnerabilities.
- Conduct thorough due diligence before the relationship commences.
- Continue conducting proper due diligence throughout the course of the relationship.
- Employ contingency plans for terminating vendor contracts.
#6 Information Sharing
When it comes to cyber threats firms can no longer act in silos, rather they must share information with industry peers (including competitors) to protect the entire sector. The Financial Services: Information Sharing and Analysis Center (FS-ISAC) is one such group enabling information sharing.
More Cybersecurity Resources
Here are more articles that dive deeper into this SEC hit list.