Posts

Download - Cybersecurity Gap Analysis Worksheet

Rebalance Cybersecurity Initiatives for 2018

Update CyberSecurity Policy and Procedures for 2018

Broker-dealer and RIA firms are becoming more vulnerable to cyber threats everyday due to increased reliance on web-based solutions and mobile device activity. As a regulatory compliance consulting firm our staff can see the cybersecurity plan for BD’s and RIA’s  becoming an increasingly important part of business strategy. Data theft by cyber-criminals, attacks by nation states or terrorist groups, hacktivists causing embarrassment, internal attacks from company insiders, employees or competitors; all present a viable threat to financial service businesses. Given the broad spectrum of threats, firms should closely monitor cyber activity at their firm and use methods outlined by FINRA and SEC for implementing their cyber-security program. Download - Cybersecurity Gap Analysis Worksheet

Elements of an effective Cybersecurity plan –

FINRA released a report in February 2015 outlining their expectations of a sound cybersecurity program. They included the following criteria;

  • Cybersecurity Governance and Risk Management – A governance framework for decision making and handling issues; policies, processes, and relevant controls.
  • CyberSecurity Risk Assessment – Conduct regular assessments to identify risks and threats; maintain an inventory of assets posing a risk; prioritize threat level and implement remediation where appropriate.
  • Technical Controls – Protection of firm software and hardware, and data; penetration testing and encryption standards.
  • Incident Response Planning –  Procedures for identifying the threat level of a cybersecurity incident and escalating the crisis appropriately for an efficient resolution.
  • Vendor Management – Risk-based analysis of vendors; analysis of cybersecurity threat from data sharing with third-party vendors.
  • Staff Training – Training tailored to staff and business operations to include; testing, periodic training schedules, and remediation efforts.
  • Cyber Intelligence and Information Sharing – Periodic evaluation of cyber threats, strategic objectives, and assessment of the firms’ ability to respond to breach or disruption.
  • Cyber Insurance – Analysis of potential to offset remediation expense of a cyber-incident; regular review of coverage and objectives.

Regulators such as FINRA and SEC suggest using a risk-based approach to cybersecurity. This should be implemented along with use of industry frameworks and standards. An example of an acceptable industry framework is the one developed by NIST (National Institute of Standards & Technology), “Framework for Improving Critical Infrastructure CyberSecurity”.  The NIST Framework is a flexible method designed around business needs, risk tolerance, and resources.

Below are 7 suggestions from RND Resources Inc. to improve cyber-security strategy for firms updating & reviewing cybersecurity initiatives for 2017-2018. These recommendations when implemented can ease anxiety about regulatory cybersecurity examination and improve chances of a smooth FINRA or SEC examination process.

  • Appoint an executive leader to take ownership of the cybersecurity program for your firm.
  • Review the FINRA released whitepaper on cybersecurity practices for broker-dealers and investment firms annually; including the FinCEN Suspicious Activity Report.
  • Test the firms’ incident response plan (IRP) and make adjustments where appropriate.
  • Review employee manuals regarding cybersecurity procedures and policies. Regularly update the employee cybersecurity manual to include new threats and risks.
  • Maintain a written standard for employees to refer to in case of an incident. Be sure to distribute updated policy changes and include them in employee cybersecurity manual.
  • Strategize a training program that includes testing criteria for each job description and department. Recognize the majority of cyber-incidents are attributed to carelessness, ill-will, or lack of staff training. Test employees on using the plan; periodically, randomly, and without warning.
  • Develop standards for on-boarding vendor service providers who have been given access to electronic data. Annually review each third party vendors cybersecurity policy and determine their risk to your firms electronic data security.

Going forward with cybersecurity initiatives

In August 2017 the SEC released a National Exam Program Risk Alert from the Office of Compliance Inspections and Examinations (OCIE). The release detailed findings from cybersecurity examinations of BD and RIA firms conducted 2014 through 2016. Weaknesses uncovered in the Cybersecurity 2 Initiative examinations conducted and areas where the OCIE sees potential for improvement are to follow –

  1. While nearly all BD’s and RIA’s examined have maintained written policy manuals, many were not reasonably tailored to the firm. Examiners found manuals were too general, vague, or limited in defining examples and best practices. They noted manuals vaguely described procedures for initiating a cyber incident response.
  2. While firms had devised cybersecurity policy, many were not adhered to. For instance, annual reviews were not conducted annually. Testing of security protocols were never conducted or rarely improved upon. Some instruction manuals were structured too poorly relative to their critical purpose.
  3. With regards to Regulation S-P, “Privacy and Protection of Consumer Financial Information”, installation of software updates and patches were not timely. Poorly maintained or outdated systems put consumer data at risk and pose an unreasonable threat to consumer data. Further, discoveries made from system penetration tests were not remediated in a timely manner.

In further explanation of sound cybersecurity policy and procedures the OCIE and SEC offers the following suggestions;

Maintain an inventory of data, information, and vendors having access to data. Include classification of risks, data, business consequences, and service provider information.

Keep a cybersecurity log to track events and include instructions for; conducting penetration tests, monitoring and auditing security, restricting access rights for employees and vendors, recording incidents and outcomes.

Maintain a schedule of testing data systems for integrity and vulnerability. Use a log to track patch updates and steps taken to implement upgrades.

Enforce established controls. Detail logs showing enforced restrictions and controls such as password change schedules. Require activity logs from service provider vendors demonstrating proof of cybersecurity protocol. Implement same day expiration of access upon terminating employees. Enforce employee acceptable use policy.

Implement mandatory employee training on system use and cybersecurity protocol at on-boarding and periodically thereafter.


RND Resources Inc is an outsourced solution for small broker-dealer and RIA firms that are highly focused on growth strategy and business development and do not have the capacity to handle critical components of their cybersecurity framework and governance program. Our professional staff is adept at preparing your cybersecurity program  and updating existing manuals to meet current trends and threats. We strive for vertically integrated compliance solutions which are tailored to flow with your business model and meet your firms overall business objectives. We encourage firms to reach out to us for assistance when updating their cybersecurity program or planning cybersecurity policy and procedures for a startup BD or RIA. RND Resources Inc – Ph: 818.657.0288

 

Resources:

FinCEN Advisory Guide for Cyber-Events

FINRA CyberSecurity Practices Guide 2015

Visit our Resource Guides page for more CyberSecurity tools and guides

Cyber-security action steps

CyberSecurity Fundamentals for Financial Industry Executives

Financial industry executives have a unique responsibility to protect investors and proprietary firm information from compromise.

The notion of cybersecurity as an IT department issue has long since been re-assessed by securities firms and the topic is now taken into the board room. Discussions include much more than security of networks, systems, applications, and data; but cover a whole gamut of “what if” scenarios, company policy, and risk reducing strategy.

Cyber-security action steps

For FINRA (Financial Industry Regulatory Authority), cybersecurity protection measures include a broad swipe approach that covers compromise through use of any electronic digital media (e.g. computers, mobile devices, Internet based systems, ipads, software solution providers). And, no matter how much of the cybersecurity task is outsourced to IT professionals, the ultimate responsibility lands on the shoulders of each firms executive leadership.  For this reason Cybersecurity practices have taken a front and center seat in board room discussions that reach past IT to operations, sales, vendors, and anyone else with access to electronic company data.

Read more

RND Resources Inc

Investment Firms need a Cyber-secure Corporate Culture

Protecting client and company data from cyber breach should be a critical operations objective for Investment Advisory firms today. The risks reach beyond unsuspected internal hacks to software and servers, while cloud computing adds an additional layer of threat. Addressing procedures for protecting data as a corporate culture increases the chances of survival in the ever evolving cyber hack landscape.

 

Attackers use advanced skills and weapons to organize assaults. Long-term cyber attack strategists sneak in to systems and gather information for later use. Other criminals look for easy targets where they can steal money and disrupt business; including holding websites and proprietary data for ransom. Financial industry firms are particularly vulnerable to Web-App attacks and DoS (denial of service), as well as Insider threats.Cyber Attacks profile 2014

Many RIA firms have not yet become adept at developing sound cyber security tactics. They leave themselves and their clients at risk for sudden loss of information, embarrassment, and unforeseen recovery costs. The first step in creating a cyber security strategy should be a comprehensive evaluation of risk and education of threats that exist.

Educating Investment firm staff on how to spot cyber threats can go a long ways in ensuring against attack. Large to small firms should to have a practical guide to inform employees on rules and procedures. Every list should include the basics: 

  • Never email sensitive data to clients. Use HTTPS secure portals and encrypted technology to handle exchange of information such as account information, wiring instructions, and passwords. Implement a secret code word with clients to ensure authenticity and verbally confirm transfers.
  • When traveling, use only secure data connections. Free wi-fi access is often times a prime opportunity for criminals to gain access to your account data, log ins, and passwords. Be aware of your surroundings and be sure to protect view of your screen from onlookers.
  • Train staff to identify suspicious emails, phishing attempts, and protect identity. Require virus scan and manager approval for downloading attachments. Remind staff to carefully protect confidential personal information on social media sites. Sharing information such as maiden names, middle names, and date of birth present an easy opportunity for thieves to take over identity.
  • Require two-step authentication for secure systems. Hackers are known to use advanced algorithms and spyware to crack system passwords. Adding a 2nd layer of protection such as; thumb or hand print validation, or authentication images can stop a threat and identify an attempt for the IT department.
  • Update passwords no less than every 3 months and use different passwords for separate systems. Once hackers discover a password, they will try it across other company systems and portals. Stop them cold by varying log-in id’s and passwords. Create alpha-numeric passwords and include special characters.

Cloud computing adds an additional level of threat to firms, in that firms generally don’t have direct control over the cyber security of their cloud resources. SaaS spending is showing a dramatic growth rate with cloud computing estimated to reach a worldwide sales volume of $127.5 billion by 2020 according to Forbes. This indicates the robustness of cyber security going forward will often times lay in the hands of those providing cloud resources. However, securities firms and investment advisers are still accountable for using poor judgment in cloud computing arrangements.

Have you tested staff, cloud services, and internal systems to see how they respond to potential threats? Can the staff identify a potentially malicious email or attachment and prevent an attack?

Evaluate the risks

For investment firms, loss due to cyber breach can incur further costs beyond repair, such as fines and sanction by authorities. RND Resources, Inc. will be covering regulatory guidelines and strategies at our New York compliance round table for RIA compliance officers and firms on June 29 2015. We’ll be covering regulatory guidelines and addressing the specific rules investment firms must follow.

RND has expertise in regulatory compliance and is able to assist firms in setting up security controls; and identifying procedures, policies, and standards to maintain data safekeeping.

Contact us to evaluate your cyber-security program, create a procedures checklist, and provide guidance on how to comply with regulatory standards. For quotes call (818) 657-0288.

Fields marked with an * are required