Cybersecurity: Investing in your Firm’s Future
Recent cybersecurity breaches such as Target and Neiman Marcus have caused the U.S. Government to start implementing security initiatives throughout all sectors to help defend against cyber-attacks. Companies too often find themselves in a reactive mode based on the latest attack by remediating the now known vulnerabilities in the organization. The initiatives are challenging industry sectors to take on a proactive role in protecting their organization against potential threats. Clearly cyber-attacks rarely come in the same form; however protecting to the extent reasonable is the challenge organizations are now facing. According to a global survey of securities exchanges, 89% identified cyber-crime as a potential systemic risk and 53% reported experiencing a cyber-attack in the previous year.*
Investment Firms can be particularly vulnerable to cybersecurity attacks due to the sensitive nature and significant value of client information and assets held, respectively, which is why the Security Exchange Commission’s Office of Compliance Inspections and Examinations (SEC OCIE) in 2014 has started to include in its Examination Priorities a focus on technology, including cybersecurity preparedness. Major technology sections in the Examination Priorities will include, but are not limited to: 1) Identification of Risks / Cybersecurity Governance; 2) Protection of Networks and Information; 3) Risks Associated with Remote Customer Access and Funds Transfer Requests; 4) Risks Associated with Vendors and Other Third Parties; and 5) Detection of Unauthorized Activity.
As part of its document requests to advisers and broker-dealers, the OCIE will likely seek detailed information regarding:
- Methodology and procedures for detecting unauthorized network and device activity along with who in the organization is tasked with the responsibility of monitoring the detection program.
- Documentation surrounding the nature, severity, duration of cybersecurity breaches since January 1, 2013 and associated remediation efforts.
- Any third party service providers and business partners who conduct remote maintenance and cybersecurity risk assessments on vendors and partners.
- Logical security measures including: authentication procedures for customers including PINs, on-line account access, and information regarding cybersecurity threats provided to enhance customer awareness
Over 50 cybersecurity examinations of registered broker-dealers and registered investment advisers will be conducted by OCIE. A Risk Alert (see link below) was issued in April 2014 that describes the OCIE’s examination initiative and includes a detailed sample request list of information. Preparedness for and compliance with this Risk Alert is essential.
Furthermore, on March 26, 2014, the SEC sponsored a Cybersecurity Roundtable to better inform the SEC, the marketplace, fellow agencies, and the private sector as to what cybersecurity risks they are facing are and how best to combat them. The two major categories discussed at the roundtable were issues potentially impacting public companies and issues impacting the capital market infrastructure and SEC-regulated entities. Chair Mary Jo White stated that Self-Regulatory Organizations and large alternative trading systems are a key area of focus. Chair Mary Jo White emphasized the need for stronger partnerships between the government and the private sector to combat these threats.
So, what can Investment Firms do to prepare?
- Review and update the firm’s Information Security Policy. The Information Security Policy is a key item as it provides governance over the controls and procedures in place to protect the organization against cyber-attacks.
- Perform a gap analysis. The gap analysis will allow the investment firm to document what has previously been done, the current environment in place, and where the firm needs to be for regulatory or compliance reasons.
- Risk identification and assessments are the first steps in establishing a strong defense against cyber-attacks:
- Identify any area that is considered to be high or medium risk which can be determined by analyzing the probably of occurrence and impact of event. Current controls for these risks should also be identified and analyzed to determine if the control is appropriate. Areas of risk would be access to physical devices such as desk computers and laptops, as well as Bloomberg terminals, software platforms for portfolio, general ledger and other accounting systems and application operations for security trading and wire transfers, as well as network architecture, vendor management, & logical and physical access.
- Developing mitigation plans should be a priority where a risk has been identified for having weak or no mitigating controls in place. Security controls that are developed should be measurable so effectiveness of control can be determined.
- Implement security controls to reduce risk to an appropriate level.
- Monitor security controls that are implemented to ensure the effectiveness of the control.
- Protecting the Network and Access to Information:
- Having a periodic assessment performed on controls in place helps ensure the confidentiality and integrity of the network and data. Areas that should be targeted in the assessment should include high risk areas as well as remote access to the network and ensuring the integrity of data transmission outside of the organization.
- Vulnerability assessments are another measure to help an organization detect any gaps or deficiencies with their network.
- Ensure 3rd party vendors and service providers of critical business processes have strong controls:
- Implement a strong Vendor Management program for all service providers including prime and executing brokers, fund administrators and pricing services. A strong Vendor Management program will assess risks associated with vendors and will allow an organization to put controls in place to mitigate those risks. Included in a strong Vendor Management program would also be a vendor selection process, as well as obtaining Service Organization Control (SOC) reports for current vendors so a review of their controls can be conducted.
- Detection of Unauthorized Activity
- There is a vast array of systems that compile event logs and perform an analysis for irregular activity. All of these systems allow organizations to have better insight into what is being performed, when, and by whom for all of their systems. This allows for the monitoring of the organization as a whole which is critical in identifying threats by irregular activity early.
More Regulation for SRO’s
As of February 3, 2015, the Securities and Exchange Commission (“Commission”) is adopting new Regulation Systems Compliance and Integrity (“Regulation SCI”) under the Securities Exchange Act of 1934 (“Exchange Act”) and conforming amendments to Regulation ATS under the Exchange Act. Regulation SCI will apply to certain self-regulatory organizations (including registered clearing agencies), alternative trading systems (“ATSs”), plan processors, and exempt clearing agencies (collectively, “SCI entities”), and will require these SCI entities to comply with requirements with respect to the automated systems central to the performance of their regulated activities. The Commission’s rule on Regulation Systems, Compliance and Integrity, requires an entity covered by the rule to test its automated systems for vulnerabilities, test its business continuity and disaster recovery plans, notify the Commission of cyber intrusions, and recover its clearing and trading operations within specified time frames.
Regulation SCI will require SCI entities to comply at a minimum with the following:
- Establish written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets, and that they operate in a manner that complies with the Exchange Act.
- Mandate participation by designated members or participants in scheduled testing of the operation of their business continuity and disaster recovery plans, including backup systems, and to coordinate such testing on an industry- or sector-wide basis with other SCI entities.
- Take corrective action with respect to SCI events (defined to include systems disruptions, systems compliance issues, and systems intrusions), and notify the Commission of such events.
- Disseminate information about certain SCI events to affected members or participants and, for certain major SCI events, to all members or participants of the SCI entity.
- Conduct a review of their systems by objective, qualified personnel at least annually, submit quarterly reports regarding completed, ongoing, and planned material changes to their SCI systems to the Commission, and maintain certain books and records.
Cyber-attacks are so effective because they are constantly evolving; constantly changing and we are always in a reactive mode to protect against the last known incident. Simple targeted attacks could include the fact that the names and titles of an Investment Firm’s executives are publicly available along with detailed information via social media sites. This creates a vulnerability to allow for a targeted attack by taking advantage of knowledge of the individual’s interests; for example, creating fake emails to entice them to click on malicious links that appear to be tailored to them. If attackers know insider information regarding individuals in a firm, they can target those key individuals to gain further information, such as HR or employees with access to the firm’s bank and broker accounts. Password reset security questions for key accounts should be unique and not publicly available via social media sites (such as mother’s maiden name, high school or college mascot, town they grew up in, etc). Whenever possible, security questions should be written by the account owner if such option is available. Employee education and awareness is crucial in the fight against cybersecurity.
Unfortunately with the use of any technology, unavoidable risks are encountered. The possibility exists that unauthorized users could access sensitive information through public access points and utilize that information in an inappropriate manner. This could result in additional risk to cybersecurity attacks, possible state and federal violations and a damaged reputation. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that technical vulnerabilities exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. Information security is constantly evolving as new technologies are introduced and networks become more complex. Organizations need continuous measures in place to counteract the increasing risks of hacking, cybercrime, corporate espionage, malicious destruction, and to comply with mandated regulations.
If you need guidance assessing your firm’s vulnerability to cyber-attacks and implementing a stronger and more effective Information Security Policy, contact a Marcum Technology Assurance Service professional.
Marni Pankin, CPA, Partner, Alternative Investment Group contributed to this article.
*Reference:See Rohini Tendulkar, “Cyber-crime, securities markets and systemic risk,” Joint Staff Working Paper of the IOSCO Research Department and World Federation of Exchanges (July 16, 2013), available at http://www.iosco.org/research/pdf/swp/Cyber-Crime-Securities-Markets-and-Systemic-Risk.pdf. Forty-six securities exchanges responded to the survey.