July 14, 2015
Cybersecurity: Investing in Your Firm's Future
By Heather Bearfield, Principal, National Technology Assurance Practice Group Leader
Recent cybersecurity breaches such as those that affected the Internal Revenue Service and Anthem, to name just two, have prompted the U.S. government to start implementing security initiatives throughout all sectors to help defend against cyber-attacks. Companies too often find themselves responding to data security breaches in a reactive mode, remediating vulnerabilities in the organization after they are exposed. The initiatives are challenging companies in all industry sectors to be proactive in protecting their organizations against potential threats. Cyber-attacks rarely repeat in the same form; however, prevention, to the extent reasonable, is the challenge organizations are now facing.
According to a global survey of securities exchanges, 89% identified cyber-crime as a potential systemic risk, and 53% reported experiencing a cyber-attack in the previous year.* Investment Firms can be particularly vulnerable to cybersecurity attacks due to the sensitive nature and significant value of client information and assets held, respectively, which is why the Securities and Exchange Commission's Office of Compliance Inspections and Examinations (SEC OCIE) in 2014 started to include in its Examination Priorities a focus on technology, including cybersecurity preparedness. Major technology sections in the Examination Priorities include, but are not limited to: 1) Identification of Risks / Cybersecurity Governance; 2) Protection of Networks and Information; 3) Risks Associated with Remote Customer Access and Funds Transfer Requests; 4) Risks Associated with Vendors and Other Third Parties; and 5) Detection of Unauthorized Activity.
As part of its document requests to advisers and broker-dealers, the OCIE seeks detailed information regarding:
- Methodology and procedures for detecting unauthorized network and device activity along with who in the organization is tasked with the responsibility of monitoring the detection program.
- Documentation surrounding the nature, severity, duration of cybersecurity breaches since January 1, 2013 and associated remediation efforts.
- Any third party service providers and business partners who conduct remote maintenance and cybersecurity risk assessments on vendors and partners.
- Logical security measures including: authentication procedures for customers including PINs, online account access, and information regarding cybersecurity threats provided to enhance customer awareness.
Over 50 cybersecurity examinations of registered broker-dealers and registered investment advisers are being conducted by OCIE. A Risk Alert (click here to read) issued in April 2014 described the OCIE's examination initiative and included a detailed sample request list of information. Preparedness for and compliance with this Risk Alert is essential.
Mitigating CyberSecurity Risks & Threats
The SEC's Division of Investment Management released a CyberSecurity Guidance Update for April 2015 for Investment Funds and RIAs to help address and mitigate CyberSecurity risks and threats.
They are clear in stating "...that it is not possible for a fund or adviser to anticipate and prevent every cyber-attack. Appropriate planning to address cybersecurity and a rapid response capability may, nevertheless, assist funds and advisers in mitigating the impact of any such attacks and any related effects on fund investors and advisory clients, as well as complying with the federal securities laws."
An integral part of that planning is to:
- Conduct a periodic assessment of the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses, as well as examine internal and external cybersecurity threats to and vulnerabilities of the firm's information and technology systems. The repercussions of a security breach should be assessed as well.
- Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include, for instance, controlling access to various systems and data via management of user credentials as well as data encryption, data backup and retrieval, the development of an incident response plan.
- Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures.
The CyberSecurity Guidance goes on to say, "An effective assessment would assist in identifying potential cybersecurity threats and vulnerabilities so as to better prioritize and mitigate risk."
So, what can Investment Firms do to prepare?
- Review and update the firm's Information Security Policy. The Information Security Policy is a key item as it provides governance over the controls and procedures in place to protect the organization against cyber-attacks.
- Perform a gap analysis. The gap analysis will allow the investment firm to document security protocols previously established, the current environment in place, and where the firm needs to be for regulatory or compliance reasons.
- Perform risk identification and assessments to establish a strong defense against cyber-attacks:
- Identify any area that is considered to be high or medium risk, which can be determined by analyzing the probability of occurrence and impact of event. Current controls for these risks should also be identified and analyzed to determine if the control is appropriate. Areas of risk would include access to physical devices such as desktop computers and laptops, as well as Bloomberg terminals; software platforms for portfolio, general ledger and other accounting systems; application operations for security trading and wire transfers; network architecture, vendor management, and logistical and physical access.
- Instituting or upgrading mitigation plans should be a priority where a risk has been identified due to mitigating controls that are weak or not in place. Security controls should be measurable so that effectiveness of control can be determined.
- Implement security controls to reduce risk to an appropriate level.
- Monitor security controls that are implemented to ensure the effectiveness of the control.
- Protecting the Network and Access to Information:
- Periodically performing an assessment of controls in place helps ensure the confidentiality and integrity of the network and data. The assessment should target high risk areas as well as remote access to the network to ensure the integrity of data transmission outside of the organization.
- Vulnerability assessments are another measure to help an organization detect any gaps or deficiencies with its network.
- Ensure third party vendors and service providers of critical business processes have strong controls:
- Implement a strong Vendor Management program for all service providers, including prime and executing brokers, fund administrators and pricing services. A strong Vendor Management program will assess risks associated with vendors and will allow an organization to put controls in place to mitigate those risks. Included in a strong Vendor Management program would also be a vendor selection process, as well as a protocol for obtaining Service Organization Control (SOC) reports for current vendors so a review of their controls can be conducted.
- Detecting Unauthorized Activity:
- There is a vast array of systems that compile event logs and perform analyses for irregular activity. All of these systems give organizations better insight into who is accessing their systems, and when, to assist in identifying abnormal activity. This allows for the monitoring of the organization as a whole, which is critical to identifying threats by irregular activity early.
More Regulation for SRO's
As of February 3, 2015, the Securities and Exchange Commission ("Commission") adopted new Regulation Systems Compliance and Integrity ("Regulation SCI") under the Securities Exchange Act of 1934 ("Exchange Act") and conforming amendments to Regulation ATS under the Exchange Act. Regulation SCI will apply to certain self-regulatory organizations (including registered clearing agencies), alternative trading systems ("ATSs"), plan processors, and exempt clearing agencies (collectively, "SCI entities"), and will require these SCI entities to comply with requirements with respect to the automated systems central to the performance of their regulated activities. The Commission's rule on Regulation Systems, Compliance and Integrity requires an entity covered by the rule to test its automated systems for vulnerabilities, test its business continuity and disaster recovery plans, notify the Commission of cyber intrusions, and recover its clearing and trading operations within specified time frames.
Regulation SCI requires SCI entities to comply, at a minimum, with the following:
- Establish written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets, and that they operate in a manner that complies with the Exchange Act.
- Mandate participation by designated members or participants in scheduled testing of the operation of their business continuity and disaster recovery plans, including backup systems, and to coordinate such testing on an industry- or sector-wide basis with other SCI entities.
- Take corrective action with respect to SCI events (defined to include systems disruptions, systems compliance issues, and systems intrusions), and notify the Commission of such events.
- Disseminate information about certain SCI events to affected members or participants and, for certain major SCI events, to all members or participants of the SCI entity.
- Conduct a review of their systems by objective, qualified personnel at least annually, submit quarterly reports regarding completed, ongoing, and planned material changes to their SCI systems to the Commission, and maintain certain books and records.
Cyber-attacks are so effective because they are constantly evolving; we are always in a reactive mode in seeking to protect against future repeats of the last known incident. Simple targeted attacks could include the fact that the names and titles of an Investment Firm's executives are publicly available, along with other detailed information, via social media sites. This creates a vulnerability allowing for a targeted attack by taking advantage of knowledge of the individual's interests; for example, creating fake emails to entice them to click on malicious links that appear to be tailored to them. If attackers have insider information regarding specific individuals in a firm, they can target those key individuals to gain further information; human resources or employees with access to the firm's bank and broker accounts, for example. Password reset security questions for key accounts should be unique (not common questions such as mother's maiden name, high school or college mascot, town they grew up in, or others) and not publicly available via social media sites. Whenever possible, security questions should be written by the account owner if such option is available. Employee education and awareness is crucial in the fight against cybersecurity.
Unfortunately the use of any technology entails certain unavoidable risks. The possibility exists that unauthorized users could obtain sensitive information through public access points and utilize that information in an inappropriate manner. This can result in additional risks including cybersecurity attacks, possible state and federal violations and reputational damage. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that technical vulnerabilities exist and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. Information security is constantly evolving as new technologies are introduced and networks become more complex. Organizations must have continuous measures in place to counteract the increasing risks of hacking, cybercrime, corporate espionage and malicious destruction, as well as to comply with mandated regulations.
For guidance in assessing your firm's vulnerability to cyber-attack and implementing a stronger and more effective Information Security Policy, contact a Marcum Technology Assurance Service professional.
Marni Pankin, CPA, Partner, Alternative Investment Group, contributed to this article.
*Reference:See Rohini Tendulkar, “Cyber-crime, securities markets and systemic risk,” Joint Staff Working Paper of the IOSCO Research Department and World Federation of Exchanges (July 16, 2013), available at http://www.iosco.org/research/pdf/swp/Cyber-Crime-Securities-Markets-and-Systemic-Risk.pdf . Forty-six securities exchanges responded to the survey.