10 Takeaways from the SEC Cybersecurity Exam Findings (Webinar Recap)
In case you missed it, earlier this week we hosted a webinar during which our resident cybersecurity expert and SVP of Technology, Steve Schoener, answered questions regarding the results of the recent SEC cybersecurity exams and identified the top takeaways with meaning to hedge funds and investment management firms. Here’s a look at our Top 10 Takeaways from the recent exam findings. If video is more your style, you can watch the full webinar replay here or scroll down to the bottom of this article.
A WISP, or Written Information Security Policy, was found to be employed by 93% of broker-dealers and 83% of registered investment advisers. What is typically included in a WISP document? Similar to business continuity plans, WISPs identify scenarios firms need to be aware of from a security perspective as well as preparedness measures to address those scenarios. Both administrative and technical safeguards are identified, giving firms a complete picture of what to protect and the processes in place to do so.
2. Broker-dealers are almost all conducting periodic risk assessments to identify cybersecurity issues.
When talking about periodic risk assessments, the question often asked, is how often they should occur. Schoener recommends that conducting risk or vulnerability assessments (VAs) at least annually makes the most sense for firms. If a hedge fund experiences a lot of change in their IT environment, they may consider conducting a VA bi-annually. *To provide our Eze Private Cloud clients with additional levels of documentation, Eze Castle Integration conducts vulnerability assessments twice per year.
Vulnerability assessments are designed to look at the specific technical details of a fund’s infrastructure and security environment. For example: is a system running differently than it normally does? Are there different certificates present? You can learn more about what occurs during and after a vulnerability assessment here.
3. Advisers are lacking in third party risk assessments.
The big takeaway here is that firms should be doing greater due diligence on their technology vendors, as well as other third parties that may have access to the firm’s networks. As cybersecurity threats continue to evolve, investor due diligence questionnaires are becoming more thorough, which may trigger firms to become more diligent in assessing and evaluating their service providers.
4. Just about everyone has suffered from some sort of cyber incident.
Most firms reported that they have experienced some sort of incident, usually related to malware or fraudulent emails. While the term “incident” is broadly used in the report, most cases refer to the aforementioned attacks.
5. Firms are suffering losses at the hands of hackers.
Through phishing and spear-phishing attacks, hackers are finding more and more success in getting firm employees to make financial transfers. For background, phishing is a more broad attack – such as an email asking a user to reset their password - while spear-phishing requires time and research before the attack. Spear-phishing often reveals itself through a heavily detailed email, perhaps from the alleged CEO to CFO, asking for a wire transfer. While it looks legit, the domain name or email address likely varies slightly from the original. Unfortunately, if not detected, it can trip up employees, as we saw from the SEC’s exam results.
Schoener mentions that most companies aren’t “aware of how much information is out there on the internet, not as a result of hacking or data leakage, but there is substantially more information on the internet than we all realize.” This readily-accessible information, of course, makes it easier for hackers to approach firms via spear-phishing attacks. To help best protect your company from this situation, employee training and awareness is crucial.
6. Employees are not always following firm procedures.
According to the exam results, most of the time firm employees are following procedures, however, skilled hackers can still convince even the most compliant employees to click a suspicious link or transfer a small amount of money. Employees can easily cut corners and put the firm at risk if the proper procedures are not in place to protect against cyber threats. The best solution is to have firm checks and balances in place and make sure that employees who handle any money and sensitive information are following procedures and not cutting corners.
7. Many firms are looking to their peers for information sharing.
As more and more organizations are being attacked, there is increased participation in information sharing among, typically, closed groups. According to Schoener, “a large number of, especially the very large broker-dealers, the big banks, all participate in something called FSISAC... that’s all about sharing intelligence around cybersecurity related to the financial sector.” This kind of information sharing can go a long way in keeping firms aware of industry happenings and hopefully better prepared for any future incidents.
8. Broker-dealers are significantly more likely to have a Chief Information Security Officer.
Many hedge funds and investment firms – particularly startups and smaller firms – do not employ dedicated CISOs, but rather COOs and CTOs handle those responsibilities. Duties include “understanding the policies that a firm has in place today and why they have them in place.” As the person or persons responsible for your firm’s security needs, it’s essential to stay up-to-date on the changes in technology and meet with service providers regularly to ensure your firm is in the best position to secure your data.
9. Very few advisers have cybersecurity insurance.
While the SEC exams found that few RIAs currently employ cybersecurity insurance, we’re seeing more and more start-ups taking this into account during the launch phase. We also expect more established firms will be looking to evaluate these types of policies in the near future.
10. Broker-dealers are considerably more prepared than registered advisers.
Not surprisingly, broker-dealers fared better overall according to the results of the SEC’s exams. Based on their sizes and clientele, broker-dealers are more likely to make the investments in technology and have large IT staffs dedicated to security. That said, RIAs are likely to continue to boost their security defenses to meet both the SEC’s guidance as well as increasing investor expectations.