Here are six
lessons you can start using today from the SEC’s Investment Management Division
guidance on protecting confidential information from cybersecurity risks.
Background
The staff of the Investment Management Division of the U.S. Securities and Exchange Commission (“Staff”) recently issued guidance to both registered investment companies (“funds”) and registered investment advisers (“advisers”) regarding the ever present cybersecurity risks these entities face and measures they might adopt to protect the confidential and sensitive information that they collect, maintain, transfer, and destroy. This guidance was developed as a direct result of the Office of Compliance Inspections and Examinations (“OCIE”) report issued on February 3, 2015 which summarized its findings from an initial series of industry examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry along with the Staff’s discussions with boards and senior management during the course of its examinations and monitoring efforts.
The staff of the Investment Management Division of the U.S. Securities and Exchange Commission (“Staff”) recently issued guidance to both registered investment companies (“funds”) and registered investment advisers (“advisers”) regarding the ever present cybersecurity risks these entities face and measures they might adopt to protect the confidential and sensitive information that they collect, maintain, transfer, and destroy. This guidance was developed as a direct result of the Office of Compliance Inspections and Examinations (“OCIE”) report issued on February 3, 2015 which summarized its findings from an initial series of industry examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry along with the Staff’s discussions with boards and senior management during the course of its examinations and monitoring efforts.
A majority of the
broker-dealers (88%) and advisers (74%) reported that they had been the subject
of a cyber-related incident according to the OCIE report and the majority of
these incidents were related to malware or fraudulent emails.
A Second Alert
The OCIE has recently issued a second alert outlining additional information on the areas of focus that the second round of cybersecurity examinations will target. In the upcoming round of examinations, the OCIE will focus on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response plans. Adopting the steps outlined below will assist you in preparing for and successfully passing an examination.
The OCIE has recently issued a second alert outlining additional information on the areas of focus that the second round of cybersecurity examinations will target. In the upcoming round of examinations, the OCIE will focus on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response plans. Adopting the steps outlined below will assist you in preparing for and successfully passing an examination.
In one very recent
case, a St. Louis investment advisor who suffered a China-based cyber attack
that compromised the personally identifiable information (“PII”) of over
100,000 individuals (with no indication of a client suffering harm as a result
of the disclosure) agreed to be censured and pay a $75,000 fine for violating
the “safeguards rule” because the firm failed to adopt written policies and
procedures reasonably designed to safeguard customer information (i.e. conduct
periodic risk assessments, implement a firewall, encrypt personally identifiable
information stored on its server, or maintain a response plan for cybersecurity
incidents). Marshall S. Sprung, Co-Chief of the SEC Enforcement
Division’s Asset Management Unit said: “As we see an increasing barrage
of cyber attacks on financial firms, it is important to enforce the safeguards
rule even in cases like this when there is no apparent financial harm to
clients. Firms must adopt written policies to protect their clients’
private information and they need to anticipate potential cybersecurity events
and have clear procedures in place rather than waiting to react once a breach
occurs.”
The SIX STEPS to
Cybersecurity Success
The measures that
were recommended by the Staff to address cybersecurity risk include:
Conduct periodic audits
and ongoing assessments to identify the nature, sensitivity and location of the
data collected, maintained, transferred and destroyed and the technology and
information systems utilized. Actionable steps might include:
1) adopting and continuously updating written information security policies and procedures (including employee training on same) as the nature of data and its collection and usage evolve; and
2) utilizing external cybersecurity risk management standards such as the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization (“ISO”) and the Federal Financial Institutions Examination Council (“FFIEC”); and
3) inventorying, cataloging, mapping and continuously updating technology resources including data flows, hardware systems, physical devices, software platforms and applications, network resources, network connections (both internal and external) and logging capabilities and practices.
1) adopting and continuously updating written information security policies and procedures (including employee training on same) as the nature of data and its collection and usage evolve; and
2) utilizing external cybersecurity risk management standards such as the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization (“ISO”) and the Federal Financial Institutions Examination Council (“FFIEC”); and
3) inventorying, cataloging, mapping and continuously updating technology resources including data flows, hardware systems, physical devices, software platforms and applications, network resources, network connections (both internal and external) and logging capabilities and practices.
Conduct periodic audits
and ongoing assessments of both internal and external cybersecurity threats and
vulnerabilities to the information and technology systems. Actionable steps
might include:
1) performing periodic risk assessments and deploying software that monitors systems for unauthorized intrusion, loss or exfiltration of data; and
2) conducting effective monitoring, testing and updating of internal perimeter defenses, firewalls, incident detection systems (whether internal or external); and
3) requiring risk assessments of vendors with network access and confirming that vendors’ compliance measures are in place and in conformity with internal compliance measures; and
4) routine testing and updating of data retrieval, storage and destruction capabilities: and
5) collecting information from vendors, third party contractors specializing in cybersecurity, topic-specific publications and conferences; and
6) participating in an information sharing network with other firms to assist in identifying external threats (e.g. Financial Services Information Sharing and Analysis Center).
1) performing periodic risk assessments and deploying software that monitors systems for unauthorized intrusion, loss or exfiltration of data; and
2) conducting effective monitoring, testing and updating of internal perimeter defenses, firewalls, incident detection systems (whether internal or external); and
3) requiring risk assessments of vendors with network access and confirming that vendors’ compliance measures are in place and in conformity with internal compliance measures; and
4) routine testing and updating of data retrieval, storage and destruction capabilities: and
5) collecting information from vendors, third party contractors specializing in cybersecurity, topic-specific publications and conferences; and
6) participating in an information sharing network with other firms to assist in identifying external threats (e.g. Financial Services Information Sharing and Analysis Center).
Conduct periodic audits
and assessments of security controls and processes currently in place.
Actionable steps might include:
1) controlling access to various systems and data through two factor authentication, management of authorization levels and user credentials and correspondingly limiting administrative and vendor access; and
2) implementing strong password hygiene; and
3) encrypting data in some form;
4) employing tiered access to sensitive data and network resources and network segregation;
5) removing all non-essential software and services and all unnecessary or outdated usernames and logins; and
6) continuously updating software programs and services.
1) controlling access to various systems and data through two factor authentication, management of authorization levels and user credentials and correspondingly limiting administrative and vendor access; and
2) implementing strong password hygiene; and
3) encrypting data in some form;
4) employing tiered access to sensitive data and network resources and network segregation;
5) removing all non-essential software and services and all unnecessary or outdated usernames and logins; and
6) continuously updating software programs and services.
Conduct periodic
assessments of the enterprise impact should a compromise of the information or
technology systems occur. Actionable steps might include creating a
written business continuity plan that includes an incident response plan and
conducting routine periodic desk top exercises that mimic an actual incident.
Implement the
compliance measures by educating and training officers and employees.
Actionable steps might include:
1) designating a Chief Information Security Officer reporting to the board and responsible for managing cybersecurity; and
2) establishing corporate governance procedures for the management of cyber risk which include adoption by the board of the compliance strategy including the policies, procedures, business continuity plan and incident response plan.
1) designating a Chief Information Security Officer reporting to the board and responsible for managing cybersecurity; and
2) establishing corporate governance procedures for the management of cyber risk which include adoption by the board of the compliance strategy including the policies, procedures, business continuity plan and incident response plan.
Education of investors
and clients about how to reduce their cybersecurity risk might be helpful to
reduce exposure of both firms and their clients and investors. Actionable steps
might include information on how to reduce the exposure to cybersecurity risk
may be directly addressed either on the firm’s website or in periodic email or
postal distributions (i.e. newsletters or bulletins).
A Slim Majority
Maintain Policies and Procedures
Also noteworthy, the OCIE reported that with respect to vendor management, a slim majority (51%) of the broker-dealers and only 13% of advisers maintain policies and procedures related to information security training for vendors and business partners authorized to access their networks. Funds and advisers that share common networks (either directly or indirectly) should consider whether it is appropriate to assess the entire corporate network. Furthermore, the reporting percentages were similar regarding maintenance of cybersecurity insurance that would cover losses and expenses in the event of a cybersecurity incident.
Also noteworthy, the OCIE reported that with respect to vendor management, a slim majority (51%) of the broker-dealers and only 13% of advisers maintain policies and procedures related to information security training for vendors and business partners authorized to access their networks. Funds and advisers that share common networks (either directly or indirectly) should consider whether it is appropriate to assess the entire corporate network. Furthermore, the reporting percentages were similar regarding maintenance of cybersecurity insurance that would cover losses and expenses in the event of a cybersecurity incident.
Of course, there are
important business and financial considerations involved in the decision to
minimize exposure to cybersecurity risk and every business, large or small,
must balance the benefits of status quo continuity with the risk of a
cybersecurity incident. However, it is clear that the Staff takes
cybersecurity risk seriously and the April 2015 Guidance and the continued OCIE
examinations and reporting will undoubtedly translate into routine practice expectations
whether during the course of a routine examination or an investigation as a
result of a cybersecurity incident.
No comments:
Post a Comment