Don't Forget to Share this Post

How to Comply With the SEC's Cyber Security Guidance

By Estani Laredo | Tuesday, July 14th, 2015

Last week, we partnered up with law firm Sadis & Goldberg to host a webinar where we discussed the Securities and Exchange Commission’s (SEC) Division of Investment Management’s latest cybersecurity guidance recommendations and offered firms clear direction on satisfying these new requirements from both a legal and technology perspective. Featured speakers included John Araneo, counsel, and Lance Friedler, partner, at Sadis & Goldberg, as well as Eze Castle Integration’s Managing Director Vinod Paul.

Cyber Threats Across the Industry

The cyber threat landscape is changing rapidly, and our speakers shared examples of how developed hackers are targeting all industries, not only financial services. Araneo gave two examples of data breaches from two companies that were recently penalized by the SEC for failure to meet requirements. The first example was from a firm that failed to use strong passwords and allowed access to systems after long periods of computer inactivity, resulting in a penalty and mandatory independent security consulting for two years. The second firm failed to enforce the use of anti-virus software, leading to an unauthorized trade from a customer’s account and resulting in fines totaling over $100,000. 

Beyond mismanagement of internal cyber controls, phishing and ransomware are other targeted approaches our speakers noted they are seeing across the industry, as hackers are targeting executives by sending fake emails to try to phish sensitive information or attaching files that could infect entire systems. In the case of ransomware, if a user opens an email that is infected, it will lock down files and the only way to recover the files is to buy a key from the hacker. As the sophistication of cyber hackers increases, firms are expected to shore up securities and employ best practices to protect sensitive company information – a goal the SEC is targeting with their most recent cybersecurity guidance recommendations.

SEC Cybersecurity Guidance: How to comply

The SEC’s IM division released a guidance update in April 2015 and expressly stated that cybersecurity risks represent an “important issue” that they will continue to focus on. At this point, the SEC hasn’t formally enacted any of its recommendations into legislation, however, Araneo pointed out there could be danger in neglecting and mishandling cybersecurity preparedness. For example, if deficiencies are found among infrastructure, planning or policies, this could lead firms to face civil liability lawsuits depending on contract specifics in place. The SEC’s IM Division released recommendations for a three-step approach that should be integrated into every business’ cyber security program:

  1. Periodic Assessments – Evaluating your firm’s confidential information, infrastructure vulnerabilities and governance structure.

  2. Design Strategy – Creating a plan that prevents, detects, and allows firms to response to any security-related vulnerabilities.

  3. Implementation – Developing policies and procedures, training employees and creating accountability within the organization.

Let’s dive into these areas a little deeper.

Periodic Assessmentshedge fund cyber security guidance whitepaper

The SEC guidance encourages firms to regularly assess all aspects of their operations that relate to technology and security and conduct periodic assessments across five key areas.

  • Identify Confidential Info: What is it? Where is it located? This should also include external information that is provided to third-party service providers.

  • Threat Landscape: Firms should have a clear understanding of the threat landscape and should conduct a technical policy assessment to look for areas for improvement across systems and procedures. 

  • Security Controls: What procedures are currently in place at your firm? Is there an access control policy employed to limit the number of employees with access to certain networks or files? 

  • Security Impact: This part is about the impact that a security breach could have on your business, systems, and information. Firms should conduct a Business Operations Assessment and prioritize systems that are mission-critical.

  • Governance Structure: Who is responsible for managing security risks? Does your firm have a Chief Information Security Officer or Incident Response Team?

Cyber Security Strategy

The SEC also identified five key focus areas for firm to implement strategy approaches.

  • Security layers: Firms should have multiple layers of security across the firm’s networks and policies to ensure proper defense against cyber threats. Employing the Principle of Defense in Depth will put investment firms in a position to ward off security threats and limit the effects of a breach.

  • Encryption: Firms should consider where and when encryption needs to be used. For example: does your firm require encryption on mobile devices that have access to sensitive information?

  • Data backup & retrieval: You should have details on what software and infrastructure you use to back up your files, how often back ups are performed and where they are stored. This information should be included in your disaster recovery plan and business continuity plan as well. 

  • Removable storage media: Does your firm have a policy regarding USB and thumb drives, for example? Have you implemented USB lockdown to prevent employees from copying or removing certain information?

  • Incident response planning: Firms needs to develop and maintain guidelines to respond to a security incident. This plan should outline who is responsible for managing the response process and how the firm is going to go about restoring normal operations.

Part 3: Implementation of Policies and Procedures

The third and final section outlined within the SEC’s cybersecurity update includes recommendations on written information security plans and employee awareness and training.

Written Information Security Plans (WISP)
While enacting and employing policies to mitigate security risk is essential, documenting those policies is equally as important. This also demonstrates to investors and clients that your firm takes cybersecurity preparedness seriously. When writing your WISP you want to look at your firm’s administrative and technical safeguards and keep in mind that your WISP needs to be continuously audited to represent changes to your business and the changing cybersecurity landscape.
Employee Awareness & Training
Even with a WISP in place, you still need to train your employees on how to identify and mitigate cybersecurity risk to make your firm’s policies effective. Employees can either be your firm’s biggest weakness or your first line of defense, so it’s imperative to keep them well informed and educated on the risks facing your firm and the industry as a whole. Firms should conduct annual security training to educate employees on risks impacting them and the threats prevalent in the industry, including phishing schemes, malware, etc.

A Few Final Thoughts

  • When integrating these measures into your firm you want to have it at an enterprise level (top –bottom).

  • You want to identify and assess all sensitive data - confidential, proprietary and otherwise. This includes both native data (investment strategy, data, employee information) and external data (investor information and third party data).

  • True cybersecurity preparedness means taking a look at the vulnerabilities of your systems and infrastructure. You want to craft policies and procedures around those vulnerabilities. This mean working closely with your IT department to ensure that all requirements are met.

  • You want to perform due diligence on third-party vendors. Inevitably, you are engaged with a variety of  service providers, and it is important to know if their cyber security standards are a possible weakness. 

  • You want to make sure you document all assessments and reviews that you perform on your cyber security program and third-party providers and audit those assessments periodically.

  • Lastly, the SEC intimated that failure to implement these protections may result in a violation of the federal securities law, including the Investment Adviser Act and the Investment Company Act. While nothing has been formally regulated at this point, it is likely that the SEC will take steps in the future – beyond exams – to ensure firms are taking cybersecurity preparedness seriously.

Watch our full webinar replay:

Photo Credit: iStock

Don't Forget to Share this Post

Related Posts

How Can Eze Castle Integration help you?Contact us today!