Broker-Dealers | Registered Investment Advisors | Hedge Fund Managers | Family Offices
A one-size-fits-all approach to CyberSecurity does not work. Today’s cyber-threat landscape requires firms to look beyond Information Technology personnel in establishing a comprehensive Cybersecurity policy and procedures manual. Adopting an “ISSP” Information Systems Security Program appropriate to your circumstances and “IRP” Incident Response Plan are key to prevention, detection, and recovery.
Regulators such as FINRA and SEC suggest using a risk-based approach to cybersecurity. This should be implemented along with use of industry frameworks and standards. An example of an acceptable industry framework is the one developed by NIST (National Institute of Standards & Technology), “Framework for Improving Critical Infrastructure CyberSecurity”. The NIST Framework is a flexible method designed around business needs, risk tolerance, and resources.
RND Resources recognizes the significant challenges and risks that investment securities dealers and advisors face in protecting sensitive client and company data as well as proprietary trade system information. Our professionals are competent at developing the ISSP and IRP. Should you need assistance, we’ll develop a cybersecurity policy and procedures plan consistent with your firms operations, perform system analysis, conduct staff training, and provide technical support or security surveillance. Feel free to reach out to us for further information or a quote (818) 657-0288.
Components of FINRA Regulation CyberSecurity Plan –
(Click on any list item for FINRA guideline information)
The corporate world has lost millions of dollars due to outdated or ineffective Cybersecurity infrastructure. At RND we strategize closely with our clients to create a cost effective Cybersecurity governance framework. Our plans are tailored to each firms necessary risk management policies, structures, and controls for a program that will effectively identify and manage security risks.
Your framework will be tailored to unique risks, industry, and resources. Services in CyberSecurity Risk management include:
- Defining a governance framework to support decision-making based on risk appetite.
- Ensuring active senior management and board-level engagement with cybersecurity issues
- Identifying framework and standards to address cybersecurity
- Using metrics and thresholds to inform governance processes
- Dedicating resources to achieve the desired risk posture
- Performing cybersecurity risk assessments
Our staff can perform regular cybersecurity assessments for clients to identify and analyze potential dangers. This analysis goes over a firm’s IT system, assets, and vendor relationships and identifies potential vulnerabilities. Our risk assessment includes:
- Conducting comprehensive and ongoing risk assessments
- Establishing a governance framework that minimizes risk
- Identifying and maintaining a record of staff authorized to access the firm’s network and proprietary that needs prioritized protection
As a trusted Technology Compliance and Cybersecurity consultant, RND Resources works closely with our clients to ensure their vulnerabilities are addressed properly. We advise firms when and how to implement technical controls to protect their digital data. Since the selection of controls is highly dependent on a firm’s circumstances, we tailor controls for our clients’ unique needs. Effective practices include:
- Implanting a risk-based strategy
- Selecting controls appropriate to the firms technology and threat environment, for example;
- Identity and access management
- Data encryption
- Penetration testing
FINRA requires firms have an IRP in place. The IRP is designed to limit damage, reduce recovery time and costs, and let stakeholders know that the firm is prepared to deal with a cyber-attack. RND Resources develops procedures to deal with the containment, investigation, notification, and mitigation of an attack. Read our blog post on drafting the IRP….
- Preparing responses for the most likely types of incidents: loss of customers, data corruption, DDoS attack, network intrusion, customer account intrusion or malware infection
- Incorporating current threat intelligence to identify the most common incident types and attack vectors
- Developing containment and mitigation strategies for multiple incident types
- Creating eradication and recovery plans for system and data
- Launching an investigation and damage assessment process
- Preparing communication / notification plans for outreach to relevant stakeholders, e.g. customers, regulators, law enforcement, intelligence agencies, industry information sharing bodies
- Participating in industry-wide, and firm-specific simulation exercises
- Implementing measures to maintain client confidence, including:
- Credit monitoring for individuals whose personal information has been compromised
- Reimbursement to customers for financial losses
While you might take every step possible for cybersecurity, your third-party vendors may not. As a result, outside vendors can be a significant source of risk to your firm. We’ll help you manage outside risks from your vendor relationships.
- Performing pre-contract due diligence on prospective service providers
- Establishing contractual terms that protect sensitive information, govern the ongoing vendor relationship, and establish obligations for after the contract ends
- Maintaining ongoing due diligence on existing vendors
- Including vendor relationships as part of the firm’s ongoing risk assessment process
- Establishing procedures to halt vendor access to firm systems immediately upon contract termination
- Establishing, maintaining, and monitoring vendor entitlements to align with firm risk appetite and information security standards
Without the right training, your staff can be another major source of cybersecurity risk. FINRA found that many successful cybersecurity attacks were the result of employee mistakes; like accidentally downloading malware or responding to a phishing attack.
The NIST Framework identifies training as a critical piece of an organization’s cybersecurity infrastructure. NIST recommends that all users are trained to understand their specific roles and responsibilities. This includes educating those users about risks associated with the data they use. Provide cybersecurity training for your staff through RND Resources.
- Defining cybersecurity training requirements
- Identifying appropriate cybersecurity training update cycles
- Delivering interactive training that increases audience participation and improves retention
- Building training around the firm’s loss incident, risk assessment process, and threat intelligence
Cybersecurity threats are ever-evolving and increasing in complexity. Proactive firms can reduce their vulnerability and prevent problems before they even develop. We share the latest cyber intelligence and information with our clients so they learn how to identify, detect, and avoid future threats.
- Assigning responsibility for cybersecurity intelligence and analysis at the organizational and individual levels
- Establishing mechanisms to rapidly share threat intelligence with appropriate groups within the firm like the firm’s risk management and front-line information technology security staff
- Evaluating threat intelligence from tactical and strategic perspectives, to determine the appropriate course of action
- Participating in information sharing organizations; e.g. FS-IAC, and periodically evaluating the firm’s information-sharing partners
Cyber insurance is an excellent way to mitigate monetary damages, should you suffer a breach in your security resulting in the release of client information. RND Resources will review your firm’s insurance needs to determine if adequate coverage exists.
- For firms that have cybersecurity coverage: conducting a periodic analysis of the coverage to determine if the policy still meets the firm’s cybersecurity needs and helps with the ability to bear losses
- For firms that do not have cyber insurance, evaluating the cyber insurance market to determine if coverage is available that would enhance the firm’s ability to manage the financial impact of cybersecurity events
◊ Read more about current Cybersecurity trends on our Compliance News Aggregator
◊ Find links to Cybersecurity Tools and Compliance Guides in our Resource Center
Cyber Threats are on the rise, are you prepared?
Cyber criminals are increasingly efficienct. Advanced Persistent Threats (APT), Data Breaches, Threats to Online Payment Systems, RansomWare, and Malware intrusions; hackers are prepared to disrupt your business and steal company information. Is your plan good enough to fend off intrusion attempts? What’s the response plan if an intrusion is successful?
Make cybersecurity a cornerstone of your business infrastructure.
See our review of FINRA 2015 Cybersecurity Practices Report