Broker-Dealers | Registered Investment Advisors | Hedge Fund Managers | Family Offices
Firms should recognize a one-size-fits-all approach to CyberSecurity does not work. Further, firms should look beyond their Information Technology personnel to establish a comprehensive Cybersecurity procedures and policies manual. Adopting an “ISSP” Information Systems Security Program appropriate to your circumstances and “IRP” Incident Response Plan that your personnel can successfully implement is key to prevention, detection, and recovery.
National Futures Association | CyberSecurity – Interpretive Notice ¶9070
The firm must develop and maintain a written ISSP for securing customer data and access to their electronic systems, which should be maintained with the rest of the firm’s written procedures. Although the firm is not required to have a separate single document describing every aspect of its ISSP, a comprehensive written policy may be the best way to ensure that firm personnel know what the firm’s policy is, depending upon the firm’s size and complexity of business and technological operations.
RND Resources recognizes the significant challenges and risks that investment securities dealers and advisors face in protecting sensitive client and company data as well as proprietary trade system information. Our professionals are competent at developing the ISSP and IRP. Should you need assistance, we’ll develop a plan consistent with your firms operations, perform system analysis, conduct staff training, and provide technical support or security surveillance. Feel free to reach out to us for further information or a quote (818) 657-0288.
Components of FINRA Regulation CyberSecurity Plan –
(Click on any list item for FINRA guideline information)
The corporate world has lost millions of dollars due to outdated or ineffective Cybersecurity infrastructure. The RND Resources Cybersecurity team strategizes closely with our clients to create a cost effective Cybersecurity governance framework. Our plans set up the necessary risk management policies, structures, and controls to effectively identify and manage security risks.
Your framework will be tailored to your firm’s unique risks, industry, and resources. Services in CyberSecurity Risk management include:
- Defining a governance framework to support decision-making based on risk appetite.
- Ensuring active senior management and board-level engagement with cybersecurity issues
- Identifying framework and standards to address cybersecurity
- Using metrics and thresholds to inform governance processes
- Dedicating resources to achieve the desired risk posture
- Performing cybersecurity risk assessments
RND Resources performs regular cybersecurity assessments for our clients to identify and analyze potential dangers. This analysis goes over a firm’s information technology system, assets, and vendor relationships to identify potential vulnerabilities. Our risk assessment includes:
- Conducting comprehensive and ongoing risk assessments
- Establishing a governance framework that minimizes risk
- Identifying and maintaining an inventory of assets authorized to access the firm’s network as well as critical assets that need prioritized protection
As a trusted Technology Compliance and Cybersecurity advisor, RND Resources works closely with our clients to ensure their vulnerabilities are addressed properly. We advise firms when and how to implement technical controls to protect their technical systems. Since the selection of controls is highly dependent on a firm’s circumstances, we tailor controls for our clients’ unique needs. Effective practices include:
- Implanting a defense-in-depth strategy
- Selecting controls appropriate to the firms technology and threat environment, for example;
- Identity and access management
- Data encryption
- Penetration testing
What do you do when a Cybersecurity incident happens? Firms need to have a plan in place to limit damage, reduce recovery time and costs, and let stakeholders know that the firm is prepared to deal with cybersecurity threats. RND Resources develops procedures to deal with the containment, investigation, notification, and mitigation of an attack.
- Preparing responses for the most likely types of incidents: loss of customers, data corruption, DDoS attack, network intrusion, customer account intrusion or malware infection
- Incorporating current threat intelligence to identify the most common incident types and attack vectors
- Developing containment and mitigation strategies for multiple incident types
- Creating eradication and recovery plans for system and data
- Launching an investigation and damage assessment process
- Preparing communication / notification plans for outreach to relevant stakeholders, e.g. customers, regulators, law enforcement, intelligence agencies, industry information sharing bodies
- Participating in industry-wide, and firm-specific simulation exercises
- Implementing measures to maintain client confidence, including:
- Credit monitoring for individuals whose personal information has been compromised
- Reimbursement to customers for financial losses
While you might take every step possible for cybersecurity, your third-party vendors may not. As a result, outside vendors can be a significant source of risk to your firm. We’ll help you manage outside risks from your vendor relationships.
- Performing pre-contract due diligence on prospective service providers
- Establishing contractual terms that protect sensitive information, govern the ongoing vendor relationship, and establish obligations for after the contract ends
- Maintaining ongoing due diligence on existing vendors
- Including vendor relationships as part of the firm’s ongoing risk assessment process
- Establishing procedures to halt vendor access to firm systems immediately upon contract termination
- Establishing, maintaining, and monitoring vendor entitlements to align with firm risk appetite and information security standards
Without the right training, your staff can be another major source of cybersecurity risk. FINRA found that many successful cybersecurity attacks were the result of employee mistakes; like accidentally downloading malware or responding to a phishing attack.
The NIST Framework identifies training as a critical piece of an organization’s cybersecurity infrastructure. NIST recommends that all users are trained to understand their specific roles and responsibilities. This includes educating those users about risks associated with the data they use. Provide cybersecurity training for your staff through RND Resources.
- Defining cybersecurity training requirements
- Identifying appropriate cybersecurity training update cycles
- Delivering interactive training that increases audience participation and improves retention
- Building training around the firm’s loss incident, risk assessment process, and threat intelligence
Cybersecurity threats are ever-evolving and increasing in complexity. Proactive firms can reduce their vulnerability and prevent problems before they even develop. We share the latest cyber intelligence and information with our clients so they learn how to identify, detect, and avoid future threats.
- Assigning responsibility for cybersecurity intelligence and analysis at the organizational and individual levels
- Establishing mechanisms to rapidly share threat intelligence with appropriate groups within the firm like the firm’s risk management and front-line information technology security staff
- Evaluating threat intelligence from tactical and strategic perspectives, to determine the appropriate course of action
- Participating in information sharing organizations; e.g. FS-IAC, and periodically evaluating the firm’s information-sharing partners
Cyber insurance is an excellent way to mitigate monetary damages, should you suffer a breach in your security resulting in the release of client information. RND Resources will review your firm’s insurance needs to determine if adequate coverage exists.
- For firms that have cybersecurity coverage: conducting a periodic analysis of the coverage to determine if the policy still meets the firm’s cybersecurity needs and helps with the ability to bear losses
- For firms that do not have cyber insurance, evaluating the cyber insurance market to determine if coverage is available that would enhance the firm’s ability to manage the financial impact of cybersecurity events
Cyber Threats are on the rise, are you prepared?
Cyber criminals are increasingly efficienct. Advanced Persistent Threats (APT), Data Breaches, Threats to Online Payment Systems, RansomWare, and Malware intrusions; hackers are prepared to disrupt your business and steal company information. Is your plan good enough to fend off intrusion attempts? What’s the response plan if an intrusion is successful?
Make cybersecurity a cornerstone of your business infrastructure.
See our review of FINRA 2015 Cybersecurity Practices Report