Timothy M. Simons, CFA, CFP, CIPM, CSCP
Senior Managing Member
Focus 1 Associates LLC
August 23, 2017
January 9, 2014 – Examination Priorities for 2014
Although the SEC did refer to cybersecurity in the Examination Priorities for 2013, as “information technology systems,” it was 2014 before the SEC identified cybersecurity as such, and an Examination Priority:
“The staff will focus on market access controls related to, among other things, erroneous orders; the use of technology with a focus on algorithmic and high frequency trading; information leakage and cyber security…”
Cybersecurity was listed as a priority under the broker-dealer section of the Examination Priorities for 2014, but it would also apply to the Investment Adviser / Investment Company area. In fact, just three months later the SEC would tell us that.
April 15, 2014 – OCIE Cybersecurity Initiative
This Risk Alert gave the background proving that the SEC was also including advisers in the cybersecurity pool.
“On March 26, 2014, the SEC sponsored a Cybersecurity Roundtable…to gather information and consider what additional steps the Commission should take to address cyber-threats….As part of this initiative, OCIE will conduct examinations of more than 50 registered broker-dealers and registered investment advisers focused on the following: the entity’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”
Attached to the Risk Alert was a sample document request that would be used for those examinations, and could be used by those firms not examined, to assess their own level of preparedness.
February 3, 2015 – Cybersecurity Examination Sweep Summary
This Risk Alert summarized the examinations of the fifty-seven registered broker-dealers and forty-nine registered investment advisers. “The staff conducted limited testing of the accuracy of the responses and the extent to which firms’ policies and procedures were implemented. The examinations did not include reviews of technical sufficiency of the firms’ programs.” (Emphasis added)
- The vast majority of examined broker-dealers (93%) and advisers (83%) have adopted written information security policies.
- The vast majority of examined firms conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences.
- Most of the examined firms reported that they have been the subject of a cyber-related incident.
- Many examined firms identify best practices through information-sharing networks.
- The vast majority of examined firms report conducting firm-wide inventorying, cataloguing, or mapping of their technology resources.
- The examined firms’ cybersecurity risk policies relating to vendors and business partners revealed varying findings.
- Most of the examined firms make use of encryption in some form.
- Many examined firms provide their clients with suggestions for protecting their sensitive information.
- The designation of a Chief Information Security Officer (“CISO”) varied by the examined firms’ business model.
- Use of cybersecurity insurance revealed varying findings among the examined firms. Over half of the broker-dealers maintain insurance for cybersecurity incidents, but less than a quarter of advisers do.
April, 2015 – Division of Investment Management Guidance Update on Cybersecurity
This was not a Risk Alert, but note that in the Division of Investment Management are the folks that write the IA/IC Rules. The Guidance Update provided three measures that funds and advisers may consider:
- Conduct a periodic assessment of:
- the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
- internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- security controls and processes currently in place;
- the impact should the information or technology systems become compromised; and
- the effectiveness of the governance structure for the management of cybersecurity risk.
- Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include:
- controlling access to various systems and data via management of user credentials, authentication and authorization methods, and other means, and system hardening;
- data encryption;
- protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions;
- data backup and retrieval; and
- the development of an incident response plan.
- Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures.
September 15, 2015 – OCIE’s 2015 Cybersecurity Examination Initiative
This Risk Alert identified the areas of focus for the second round of cybersecurity examinations, involving more testing to assess implementation of procedures and controls, focusing on:
Governance and Risk Assessment:
- cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below.
- periodic evaluation of cybersecurity risks and whether their controls and risk assessment processes are tailored to their business.
- the level of communication to, and involvement of, senior management and boards of directors.
Access Rights and Controls:
- controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes.
- control access to various systems and data via management of user credentials, authentication, and authorization methods.
- controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.
Data Loss Prevention:
- robust controls in the areas of patch management and system configuration.
- monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads.
- monitor for potentially unauthorized data transfers and how firms verify the authenticity of a customer request to transfer funds.
- firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms.
- how vendor relationships are considered as part of the firm’s ongoing risk assessment process and how the firm determines the appropriate level of due diligence to conduct on a vendor.
- how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior.
- how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
- acknowledge the increased risks related to cybersecurity attacks and potential future breaches.
- have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events.
Again, the SEC attached a sample request for information and documents to be supplied to the examiners.
May 17, 2017 – Cybersecurity: Ransomware Alert
This Risk Alert also provided some preliminary information on the current examination Initiative that the staff believed might be particularly relevant to smaller registrants:
- Cyber-risk Assessment: firms examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
- Penetration Tests: Firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
- System Maintenance: Firms examined have a process in place for ensuring regular system maintenance however, some firms examined had a significant number of critical and high-risk security patches that were missing important updates.
August 7, 2017, – Observations from Cybersecurity Examinations
“The staff noted an overall improvement in firms’ awareness of cyber-related risks and the implementation of certain cybersecurity practices since the Cybersecurity 1 Initiative. Most notably, all broker-dealers, all funds, and nearly all advisers examined maintained cybersecurity related written policies and procedures addressing the protection of customer/shareholder records and information. This contrasts with the staff’s observations in the Cybersecurity 1 Initiative, in which comparatively fewer broker-dealers and advisers had adopted this type of written policies and procedures.”
- Most firms conducted periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences of a cyber-incident.
- Most broker-dealers and almost half of the advisers conducted penetration tests and vulnerability scans on critical systems.
- All firms utilized some form of system, utility, or tool to prevent, detect, and monitor data loss as it relates to personally identifiable information.
- Most firms had a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities.
- Information protection programs at the firms typically included relevant cyber-related topics, such as policies and procedures and response plans.
- Most firms maintained cybersecurity organizational charts and/or identified and described cybersecurity roles and responsibilities for the firms’ workforce.
- Most firms had authority from customers/shareholders to transfer funds to third party accounts, but not all maintained policies and procedures related to verifying the authenticity of a customer/shareholder who was requesting to transfer funds.
- Most firms either conducted vendor risk assessments or required that vendors provide the firms with risk management and performance reports (i.e., internal and/or external audit reports) and security reviews or certification reports.
While most firms maintained written policies and procedures addressing cyber-related protection of customer/shareholder records and information, a majority of the firms’ information protection policies and procedures appeared to have issues, including:
- Policies and procedures were not reasonably tailored.
- Firms did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices.
- The staff also observed Regulation S-P-related issues among firms that did not appear to adequately conduct system maintenance, such as the installation of software patches to address security vulnerabilities.
Elements of Robust Policies and Procedures
- Maintenance of an inventory of data, information, and vendors.
- Detailed cybersecurity-related instructions, such as: penetration tests; security monitoring and system auditing; access rights; and reporting.
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities, such as vulnerability scans of core IT infrastructure and patch management policies.
- Established and enforced controls to access data and systems.
- Mandatory employee information security training.
- Engaged senior management. The policies and procedures were vetted and approved by senior management.
The SEC calls these information sources Risk Alerts for a reason. The intent is to alert registrants to concerns that the SEC has about the way firms operate and issues with which the firms must deal. You can sign up for these alerts on the SEC’s website. www.sec.gov/news/press/subscribe_updates.htm
In my view, if you are not watching for SEC alerts, somebody at the firm is not doing their job, and it might be you.
Please note, that every SEC Risk Alert includes the same last note:
“The adequacy of supervisory, compliance, and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.”