Tips for Tackling Your Financial Firm's Cybersecurity To-Do List
We continue to discuss cybersecurity with financial firms on a regular basis, and with the expectation that the SEC will start cybersecurity exams sometime around September, it’s evident that registered investment advisers are working diligently to answer the questionnaire and shore up internal practices.
To continue fostering education around this topic, we hosted two events last week dedicated to cybersecurity for hedge funds and other registered investment advisers. In case you missed them, you can read a brief recap of some of the key topics discussed or scroll down to watch our full webinar replay.
Cybersecurity a Hot Topic on State & Federal Level
By now, we all know the SEC has taken steps to assure that hedge funds and registered investment advisers put security mechanisms and practices in place to protect against cyber threats. SEC Commissioner Luis Aguilar said there is “substantial risk that a cyber-attack could cause significant and wide-ranging market disruptions and investor harm.” Even beyond the federal level, some states are chiming in on the cybersecurity front. Earlier this month, Massachusetts and Illinois acknowledged that they were polling investment advisers about their security practices, and that based on responses, state regulations could be impacted.
SEC Fundamental Concerns
According to Eldon Sprickerhoff, Chief Security Strategist at eSentire, the SEC’s cybersecurity initiative is designed to shed light on the following four fundamental concerns:
Day-to-day operations in a rapidly changing landscape
Detection and reporting of a cyber incident
Impact on cybersecurity of fundamental decision making
Expectations of executive oversight of this new risk category
Beyond Technology: Written Information Security Plans (WISP)
Question 2 in the SEC’s cybersecurity questionnaire states: “Please provide a copy of the Firm’s written information security policy.” In plain, bold letters, the SEC has announced that it expects hedge funds and other registered investment advisers to not only be implementing cybersecurity policies, but also to be documenting them. Administrative and operational steps are just as critical to a successful security program as robust, technology solutions.
As part of your financial firm’s cybersecurity WISP, we at Eze Castle Integration advise that firms investigate and answer the following questions (Note: this is not a comprehensive list):
What is data and where is data located? Not all data is created equal. Is it encrypted? Is it on shared drives or stored locally?
How is data protected? Is it encrypted? If you’re sending investor information and it’s not encrypted, you put investors’ data at risk. Do you need to access a portal or some other website to access certain confidential information?
Who has access to information? Employees need access to the data necessary to complete their tasks. But beyond that - firms should be limiting what data employees have access to. It’s not about not trusting your employees, but more so about not trusting the technology behind those employees. The less data employees can get to, the less damage can be done via an internal breach or external hack.
What incident response procedures are in place? Odds are your firm has already suffered some sort of security incident – even if it’s as small as a malware attack. Firms need to identify what the business response will be to a variety of incident types. In what situations will investors, authorities, etc. need to be notified? Documenting these scenarios in advance will cut down on response times in real-life situations.
What are employees’ responsibilities? User training becomes key here. Employees should be responsible for security awareness, but businesses should also make it a priority to provide proper training and educational resources to everyone across the firm.
On the cybersecurity technology front, financial firms should undertake employing the following technical practices to mitigate security risks:
Audit & logging
For even more information on the technical and operation safeguards investment firms should implement to protect against cyber threats, watch our full webinar replay below featuring speakers from Eze Castle Integration, eSentire and Maloy Risk Services.
Other Cybersecurity Resources You Might Find Helpful:
Whitepaper: Critical Cybersecurity Threats & How to Prepare in 2014
Article: Exploring the Links Between Cybersecurity and Business Continuity
Photo Credit: eSentire