The SEC and other financial regulatory bodies have increased transparency demands with regard to cybersecurity in recent years, and as such, registered investment advisers face a long list of requirements to meet on the technology and operational front. In each of its cybersecurity guidance updates, the SEC has called out the need for hedge funds and private equity firms to "indicate whether they conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences", and if so, who conducts them and how often.
Risk and vulnerability assessments have not only become must-haves for financial firms due to these regulatory initiatives, but also as a result of growing investor calls for transparency. Side note: If you missed the news, Eze Castle Integration has expanded its cybersecurity consulting services to deliver comprehensive vulnerability assessments (as well as penetration testing and third party due diligence audits) across both internal and external networks. Click here to read more about Eze Vulnerability Assessments.
We field a lot of questions about what exactly a security vulnerability assessment is, so we thought it best to review what such a test entails.
Here’s a quick overview.
The type of risk assessment typically associated with information technology and cybersecurity is an external vulnerability assessment. Essentially, this is the process of identifying and categorizing vulnerabilities related to a system or infrastructure. Typical steps associated with a vulnerability scan or assessment include:
Identifying all appropriate systems, networks and infrastructures;
Scanning networks to assess susceptibility to external hacks and threats;
Classifying vulnerabilities based on severity; and
Making tactical recommendations around how to eliminate or remediate threats at all levels.
As a best practice, Eze Castle Integration recommends that investment advisers conduct external vulnerability assessments at least once per year. Many firms may opt for semi-annual scans, particularly if the firm’s technology environment is continually changing.
The true goal of the vulnerability assessment is to gauge the level of security a firm has in place to protect against external threats and cyber-attacks. Depending on the third party conducting the test, a firm may be ‘graded’ with a number or letter score or simply provided with a list of vulnerabilities and security recommendations. Here’s one example of a grading system associated with a vulnerability/risk assessment:
Excellent: The firm’s security exceeds industry standards and best practices, and overall the firm’s security was found to be in excellent condition with only minor, low-level security vulnerabilities discovered.
Good: The firm’s security meets accepted standards within the industry, and overall the firm’s security was found to be strong with only a few low and medium-level security risks identified.
Fair: The firm’s security is somewhat below current industry standards and moderate changes would need to be implemented to increase security and meet industry levels.
Poor: The firm’s security has significant deficiencies and is well below industry standard level. Major changes would need to be implemented to alleviate critical and high-level vulnerabilities and elevate the firm’s overall security program.
For any vulnerabilities identified as part of the assessment, a description of the risk would be included as well as any specific systems or networks affected and recommendations for how the firm can either remediate or alleviate the risk. Ultimately, these assessments and their corresponding documentation will serve to demonstrate a number of significant points:
A) that the investment firm is taking the SEC’s ongoing cybersecurity inquiry seriously and preparing for upcoming regulatory examinations;
B) that investors can feel confident the firm is implementing policies and procedures to protect investor information and assets; and
C) that the firm is taking an overall proactive approach to mitigate risk, and ensure business continuity.