Cybersecurity and Examiners: How Your Firm Should Prepare
The SECís interest in cybersecurity is strong and only likely to increase in the coming years. Its examination staff has issued a risk alert on the subject, and listed cybersecurity as a top priority in both 2014 and 2015. So whatís a chief compliance officer to do in anticipation of examiner scrutiny?
There is no cookie cutter list of which cybersecurity areas to prioritize in expectation of an exam. The SECís Office of Compliance Inspections and Examinations issued a seven-page cybersecurity questionnaire to firms about a year ago, but there was no priority listed among the 70 cybersecurity areas it covered (ACA Insight, 4/7/14).
But there is a smart path to follow. Rather than simply address each cybersecurity concern the SEC staff has listed, one at a time, firms should first determine which cybersecurity threats are most likely to affect them. Given the differences among firms in terms of size, the investments they make, and the transactions they conduct, the cybersecurity priorities for each firm will be somewhat different.
Conduct a risk assessment
The first step a firm should take is a risk assessment to determine its greatest areas of cyber vulnerability.
"Go broader than what is in the SEC questionnaire," said
Raj Bakhru, partner at ACA Aponix, which works with advisers to understand and address their cybersecurity needs. "Create a prioritized list of risk" by ranking each item as high, medium or low. Then," tackle the low-hanging fruit among the high-risk categories first." It can take a year to go through the issues, and some firms may elect to act on some and take a chance by not addressing others right away, depending on their business circumstances, he said.
Firms will have different priorities based on the type of business they are in, said Joshua Larocca, managing director at consultant Stroz Friedberg. For instance, if 85 percent of your firmís employees work offsite, there may be cloud storage issues, such as employees loading company information to a personal cloud. On the other hand, if few of your employees work offsite, that most likely is not a priority risk, he said.
This does not mean that non-priority cybersecurity issues should not be addressed, Larocca said. "Look at all the questions the SEC has raised and develop a reasonable response to all of them, but not all are priorities for each firm."
Once you know where your firmís cybersecurity vulnerabilities are, you are ready to move forward and address specific areas.
Policies and procedures
Develop cybersecurity policies and procedures that show the requirements your firm has for cybersecurity, who is responsible for performing them, where records will be kept, and more. These include policies and procedures for access to customer information, working with vendors, internal checks on systems that safeguard client information, who has access to client information, books and records documenting steps taken, and more.
"This is where we expect the SEC examiners to focus," said Bakhru, as vendors often may not provide the same degree of security as advisers do. The agency is aware of this and wants to ensure that advisers require their vendors to provide the necessary protection.
The SEC has indicated that it will conduct the next phase of its cybersecurity sweep this summer, with a focus on five to seven topic areas. Bakhru believes that vendor risk is a top candidate as a focus area.
Vendors represent "one of the greatest risks that any financial service firm has in terms of cybersecurity," said
Mayer Brown partner Jeffrey Taft. "They are often the weak link in the chain."
Whatís the risk? Vendors, if they have their own weak cybersecurity safeguards, may provide easy access to your firmís systems, including client information. For instance, trade and position files that are transmitted to prime brokers may not be configured correctly, leaving those files vulnerable, Bakhru said.
Address vendor risk with:
Due diligence. Prior to bringing a new vendor on board, perform a background check, find out how long it has been in business, what other firms it has done business with, obtain its financial statements, and generally "kick the tires," said Taft. The types of work that specific vendors will be performing will make a difference. If a vendor will be working with client information, make sure your due diligence is more thorough than that you might perform on another vendor whose work will not include access to client information or confidential trade secrets. "Ask whether they are compliant with the Gramm-Leach-Bliley Act and state privacy regulations, which may require safeguards to protect customer information," he said. "How do they store information? Do they encrypt information? How will information be transmitted? Have they had an independent third party come in and audit their security system?" These kinds of checks are especially needed for new vendors, but if you have an opportunity to perform due diligence on existing vendors, such as when a vendorís contract comes up for renewal, do so.
Contracts. Hereís where you can set the rules with a vendor as to what is expected. "Make sure the contract states that a vendor and any of its subcontractors will safeguard client information, that the vendor will notify you if unauthorized access occurs, and that the vendor will indemnify you if there is a breach," said Taft. Try to negotiate a provision that the vendor will agree to an independent third-party security audit and share the results with you, and will do so annually. Cooperation and other actions that will be taken in the event of a breach involving customer information should be spelled out in the contract, he said.
Review. If you are successful in negotiating that an independent third party will review the vendorís work in regard to cybersecurity annually, be certain to review any reports and be prepared to take action if there are problems identified in any of the reports. These actions might include allowing 30 days for the vendor to correct a problem before termination, and automatic termination if a vendor does not timely inform your firm when a breach occurs, Taft said.
Expect SEC examiners to ask how various types of information can be accessed through your systems, who has access to that information, whether the access is "tiered" by the type of information and "need to know," and how access is terminated for people who change jobs within the firm or leave the firm, said Taft. "Your policies and procedures should show how you determine, on an ongoing basis, which individuals have access, how access is periodically reviewed, and how access is terminated when an individual changes jobs or leaves the company."
Some examiners may speak with employees in human resources or information technology to see how what is written in your policies and procedures actually plays out, asking to see how they go about terminating someone for a breach of policies involving customer information or when an individual leaves the company.
Hacking or acting under false pretenses is another access challenge, and it can occur either through a customer or through an employee, said Taft. "The best way to address this on the employee side is through training," including ways in which information may be inadvertently compromised or shared. Employees should not only avoid clicking on suspicious links or opening suspicious documents, but avoid saying things on the phone that might give away information about an account without verifying that the call is from an account holder.
Cybersecurity training should also address how employees should not leave laptops "lying around," as well as make the case that a firmís malware prevention programs should be kept up to date, said
Sutherland partner Brian Rubin.
On the customer side, a customer might have malicious software inadvertently installed on his or her computer that would allow a third party to monitor or log his or her key strokes. This could result in the third party obtaining the customerís account number and pass code, permitting funds to be transferred from one of your customerís accounts to a bank account in another part of the world. "Consider having a third party conduct penetration testing of your computer systems," Taft said. This involves hiring a third party to try and hack your system and then sharing the results with your firm. Usually performed by a consulting firm or an accounting firm, costs can often be scaled for firm size and expense considerations, he said.
Make sure your firm is ready for an information breach by developing and testing an incident response plan, said Rubin. If there is a breach, the plan should make clear who to notify, when, under what circumstances, whoís responsible for taking on specific tasks, how to mitigate the threats, how and when to communicate with clients, and more.
Hereís a hypothetical incident from Rubin that demonstrates some of the questions that an incident response plan may need to address: Someone outside your firm accessed customer information. "Does the firm have to shut down the entire system or just part of it?" he asked. "Have there been any unauthorized transactions? Which clients are at risk? Who in the firm should be involved: IT, traders, compliance personnel? An outside consultant, possibly a forensics consultant, or a law firm may need to be called in. Find out your stateís definition of what constitutes a breach and what your firm is required to report."
Fortunately, perhaps thanks to the SECís risk alerts and priority lists, cybersecurity is now a chief executive officer/board of directorsí issue, said Taft. Upper management buy-in can result in more resources for cybersecurity. "Boards also ask difficult but necessary questions, such as whether risk assessments have been conducted by the company, the results of those assessments and steps taken to mitigate those risks," he said.
While conducting a risk assessment to determine your firmís cybersecurity risks and then acting on those risks is critical to determining what cybersecurity areas your firm should focus on, donít fall into the trap of ignoring the smaller cybersecurity risks or failing to educate employees of the risks. The fact is, while you want to place most of your attention on the areas where your firm is most vulnerable, if something goes wrong in any part of your firmís systems that affects client information, "the SEC is going to look at that area with perfect hindsight," said Taft.
"There is no such thing as a 100 percent foolproof security system," he said. The best you can do is continuously assess your risks and take appropriate steps to mitigate the biggest concerns. But knowing what those risks are is more than half the battle, he said, referring to the industry joke, "There are two kinds of companies: Those that have been hacked and those that know they have been hacked."