The SEC recently released a report on their cybersecurity and resiliency observations gathered through their thousands of reviews.
On January 27th, the SEC’s Office of Compliance Inspections & Examinations published a report summarizing their observations regarding cybersecurity and how the financial industry has addressed this perennial hot topic over the past several years. While there is no “one-size-fits-all” approach, the following breakdown gives valuable insight into how financial industry players have broadly addressed cybersecurity concerns and, thus, how examiners may be judging your own practices. One thing is for sure, you will want to be sure your controls touch on the following seven areas, at a minimum. Short on time? Read my take-aways in each area for a brief synopsis.
1. Governance and Risk Management
Senior level engagement – appropriate senior level attention to setting a strategy/oversight of the firm’s cybersecurity program.
Risk assessment – conducting risk assessments to identify, manage, and mitigate cyber risks that are relevant to the firm’s business (e.g. consider business model, prioritize potential vulnerabilities like remote/traveling employees, international operations, geopolitical risks, etc.)
Policies and procedures – adopting and implementing written policies and procedures that address the identified risks above.
Testing and monitoring – establishing a regular and frequent testing and monitoring regimen to ensure the efficacy of the cybersecurity policies and procedures.
Continuously evaluating and adapting to changes – responding promptly to testing and monitoring results by updating policies and procedures to address the gaps with senior level management involvement, as appropriate.
Communication – establish internal and external communication plan to provide timely information to decision makers, customers, employees, and other industry participants, and regulators, as appropriate.
Take away: For those who have a robust compliance program, replace the word “cyber” or “cybersecurity” with just compliance program and this really is Compliance 101 practices. Essentially, regulators want you to be thinking about these issues at the highest level of authority to convey importance, creating a plan, testing and monitoring to ensure that controls you have in place continue to be appropriate. Where any compliance program can go sideways is with that failure to test and most importantly do something about the findings.
2. Access Rights and Controls
User access – mapping who as access to what systems and data while ensuring that this access to sensitive materials is limited on a need to know basis and reviewed periodically.
Access management – ensure there are procedures in place to manage access, such as: (i) limiting access at onboarding, transfers, and terminations process; (ii) checks and balances around user access approvals; (iii) reviewing access rights on a periodic basis (with particular attention to those with elevated privileges); (iv) using strong passwords that are changed periodically; (v) using multi-factor authentication; and (vi) revoking access immediately for those no longer employed or contracted by the firm.
Access monitoring – monitor user access and developing controls around: (i) failed login attempts and account lockouts; (ii) handling of customer requests for username and password changes, as well as, authenticating unusual customer requests; (iii) reviewing system hardware and software changes to know when they’re made; and (iv) ensuring changes made have been approved, properly implemented, and any anomalies are investigated.
Take away: As the title suggests, these controls all relate to understanding and restricting access to authorized users, as well as, considering how to prevent improper access with the use of strong passwords, multi-factor authentication, and being mindful of suspicious requests, etc.
3. Data Loss Prevention
Vulnerability Scanning – establishing routine scans of software code, web apps, servers and databases, workstations, and endpoints within the firm and to third party providers.
Perimeter Security – implementing capabilities to control, monitor, and inspect all incoming and outgoing network traffic (e.g. firewalls, intrusion detection system, email security, web proxy systems with content filtering, and monitoring and blocking access to personal email, cloud-based file sharing services, social media sites, and removable media like USB and CDs).
Detective Security – implementing capabilities that are able to detect threats to endpoints to prevent unauthorized malware or software from running, as well as capturing and retaining system logs for analysis.
Patch Management – patching all software and hardware, including anti-virus and anti-malware installation.
Inventory Hardware and Software – maintaining an inventory of hardware and software assets so you know where they are located and how they’re protected.
Encryption and Network Segmentation – using tools and processes to secure data and systems both “in motion” (when transmitting data) and “at rest” (when saved down), as well as having segmentation of access to limit data availability to only authorized systems and networks.
Insider Threat Monitoring – creating a protocol to identify what might be suspicious behavior, escalating issue to senior management as appropriate, conducting penetration testing, having rules around the transmission of sensitive data (e.g. account numbers, SSNs, trade information, source code, etc.), and tracking corrective actions in response to testing and monitoring.
Securing Legacy Systems and Equipment – verifying that decommissioned hardware or software is properly disposed to wipe sensitive information and review whether legacy systems are a vulnerability risk and should be replaced with a more modern system.
Take away: You need to know what your penetration vulnerabilities are as a firm (this can be systems based, as well as human error) and be consistently mitigating these risks by battening down the hatches to your firm’s information through testing, monitoring, and updating policies.
4. Mobile Security
Policies and Procedures – establishing policies and procedures around use of mobile devices.
Managing the Use of Mobile Devices – using a mobile device management application or similar technology for your business, email communication, calendar, data storage, and other activities.
Implementing Security Measures – requiring controls, such as the use of multi-factor authentication for all internal and external users; preventing printing, copying, or pasting to personally owned computers, smartphones, or tablets; and having the ability to remote wipe data on a device used for business purposes.
Training Employees – ensuring employees understand the policies and procedures around mobile devices.
Take away: When thinking about cybersecurity, it’s not just about systems you use in the office but the mobile devices that your employees carry around and conduct business on. Therefore, you need to have controls in place around these floating data centers and train employees to maintain due care.
5. Incident Response and Resiliency
Development of a Plan – developing a risk based incident response plan for different, plausible scenarios that includes (i) timely notification and response; (ii) escalation procedures to appropriate levels of management, including legal and compliance; (iii) communication with key stakeholders.
Addressing Applicable Reporting Requirements – complying with applicable federal and state reporting requirements for cyber incidents or events (e.g. as appropriate, filing suspicious activity reports, contacting local authorities or the FBI, informing regulators, notifying clients and employees, etc.)
Assigning Staff to Execute Specific Areas of the Plan – designating employees with specific roles during a cyber incident and determining if additional expertise is needed in advance.
Testing and Assessing the Plan – testing the plan several times and in a variety of scenarios to ensure its efficacy or make appropriate changes.
Maintaining an Inventory of Core Business Operations and Systems – mapping out the systems and processes that support the firm’s core business services to understand the impact of an individual business system or process failure.
Assessing Risks and Prioritizing Business Operations – developing a risk based strategy to provide alternative solutions to core business services in response to an incident (e.g. What systems can be substituted during a disruption? Is there geographic backup data to avoid concentration risk? How will business disruptions affect stakeholders or other organizations?)
Considering additional safeguards – maintaining backup data in different locations, like a different network and offline, and considering cybersecurity insurance as appropriate.
Take away: Treat cyber incident response as you would disaster recovery planning and be sure there are appropriate procedures in place to trigger certain safeguards depending on the circumstance or to notify appropriate individuals. As with any plan, it must be tested periodically for efficacy. Finally, in terms of cybersecurity prioritization, the firm should be focused on protecting its core business operations/functions. The goal is to be as minimally impacted by an incident as possible, so maintaining backup resources are key. Cybersecurity insurance is not a standard requirement and only a consideration based on each firm’s specific business risk.
6. Vendor Management
Vendor Management Program – establishing a program to ensure vendors meet security requirements and have appropriate safeguards by their use of industry reports like SOC 2 and SSAE 18 or conducting independent audits, as well as having procedures in place to terminate and replace them.
Understanding Vendor Relationships – understanding all contract terms to ensure that all parties know how risk and security is addressed, including the vendors’ use of cloud based services.
Vendor Monitoring and Testing – monitoring the relationship to ensure the vendor continues to meet security requirements and be aware of any changes to their services.
Take away: Cybersecurity doesn’t stop at you. It is also the vendors you use and let into the secure environment you’ve hopefully created.
7. Training and Awareness
Policies and procedures as a training guide – staff need to be trained on the cyber policies and procedures drafted to build a culture of cybersecurity readiness and operational resiliency.
Including examples and exercises in trainings – train employees through real life examples, like using phishing exercises and going through how to identify and respond to signs of suspicious behavior or a data breach.
Training effectiveness – constantly assess whether training is effective in order to update it accordingly.
Take away: You need to provide training. There’s no use to policies and procedures without staff buy-in and understanding.