Asset Management Intelligence - February 2015 - Cyber Security: A Brave New World
In today’s advanced technological society, commercial organizations are increasingly under attack. The growing reliance on technology, globalization and the inter-connectivity of large financial services firms around the world make them an attractive target for those with the skills to gain access to the systems they use to manage their day-to-day operations.
Financial institutions, such as banks, investment advisory firms, and security broker-dealers around the world, have been susceptible to cyber attacks. Even large retail chains, such as TJ.Maxx, as well as the U.S. federal government and other sovereign countries have been victims of cyber espionage. No one connected to the internet is exempt from an attack. Financial firms are by-and-large the most attractive targets due to the nature of their business. Cyber criminals seek access to personal credit card data and corporate secrets, and to steal corporate data, engage in money laundering activities and intimidate internet-dependent businesses. As technology becomes more sophisticated, so too will the tools and techniques used to gain access to systems.
Let’s examine financial investment advisors who manage client portfolios, whether in the form of a separate account or in a commingled investment pool such as a private fund or mutual fund. Financial firms are under increasing pressure to more effectively communicate with their clients due to the explosion of mobile capabilities, social media and cloud computing. Therefore, firms who are taking advantage of technology, such as those financial services industry seeking to become more transparent and available to their investors, have become more susceptible to cyber crime.
WHAT CAN BE DONE TO FEND OFF ATTACKERS?
While there is no universal solution that will guarantee the security of clients’ personal data, there are some common-sense solutions that will enhance the security of systems used to maintain client information. The good news is that the United States Securities and Exchange Commission (“SEC”) has taken note of these attacks and taken action by proposing new regulations and providing guidance on what financial services firms (primarily investment advisors) can do to address this threat.
On November 19, 2014, the SEC adopted Regulation Systems Compliance and Integrity (“SCI”) under the Securities Exchange Act of 1934. Regulation SCI applies to certain self-regulatory organizations (including registered clearing agencies), alternative trading systems, plan processors, and exempt clearing agencies that require these entities to have in place robust technology controls and promptly take corrective action when problems arise. These types of technology controls encompass a wide range of activities related to mobile devices, email, social media, and client website access, where cyber attacks can occur.
In addition to the adoption of new rules, the SEC has also provided guidance to financial services firms, performed a cyber-sweep inquiry and enhanced their examination program to include a closer look at SEC registered entities’ information security programs (“ISPs”).
The SEC, in an investment advisor conference sponsored by industry newsletter IAWatch, stated that advisory firms should adopt the National Institute of Standards and Technology controls outlined in its February 12, 2014 whitepaper, “Framework for Improving Critical Infrastructure Cybersecurity” (the “Framework”). This paper is the outgrowth of Presidential Executive Order 13636, enacted on February 12, 2013, which established a U.S. Government policy “to enhance the security and resilience of the Nation’s critical infrastructure and maintain a cyber environment that encourages efficiency, innovation, and economic prosperity, while promoting safety, security, business confidentiality, privacy, and civil liberties.”
The Framework focuses on using business drivers to guide cyber security activities and consider cyber security risks as a component of the organization’s risk management process. It consists of three parts:
- The Core Framework: A set of cyber security activities, outcomes, and informative references which are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational profiles.
- The Framework Profile: The Framework, used in conjunction with specific profiles, aligns the firm’s cyber security activities with its business requirements, risk tolerances, and resources.
- The Framework implementation tiers: A mechanism for
organizations to view and understand the characteristics of their approach to managing cyber security risk.
The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Financial service firms have unique risks – different threats, vulnerabilities, and risk tolerances – and how they implement the Framework will vary. Ultimately, it is aimed at reducing and better managing cyber security risks. The Framework is a living, breathing document that will be updated as industry provides feedback on implementation.
In April 2014, the SEC announced an initiative to assess cyber security preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats. As part of this initiative, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) conducted sweep examinations of registered broker-dealers and registered investment advisors focused on cyber security governance, identification and assessment of cyber security risks; protection of networks and information; risks associated with remote customer access and funds transfer requests; risks associated with vendors and other third parties; detection of unauthorized activity; and experiences with certain cyber security threats.
The results of these sweep examinations will help the OCIE formulate a similar program to incorporate into their routine examination of investment advisors and broker-dealers.
COMMON SENSE SOLUTIONS
While you are working on implementing the Framework, there are some common sense industry best-practice quick fixes to enhance and maintain information security of critical client and proprietary data at your firm without breaking the bank. These common practices include:
- Eliminate unnecessary data and keep tabs on what is left.
- Ensure essential controls are met and regularly audited to ensure consistent implementation.
- Change default credentials.
- Avoid shared credentials.
- Implement a firewall or access control list (“ACL”) on remote access/administration services.
- Utilize IP blacklisting.
- Update anti-virus and other software consistently.
- Audit user accounts.
- Restrict and monitor privileged users.
- Monitor and filter outbound network traffic.
- Test applications and review codes.
- Monitor and mine event logs.
- Change the approach to event monitoring and log analysis.
- Define ‘suspicious’ and ‘anomalous’ (then search and monitor whatever activities you define as such).
- Increase awareness of social engineering.
- Implement cyber security employee training and customer alerts to look for signs of tampering and fraud.
- Create an incident response plan.
- Engage in mock incident testing.
- Secure business partner connections.
In addition to the above, here are some common sense, everyday operating principles to implement:
- Perform due diligence on third-party vendors with information security and privacy as part of the agenda.
- Develop an ongoing Vendor Management Program (“VMP”) that subjects those vendors that obtain access to critical client information to the same criteria that the SEC requires of you.
- Your VMP should consider second-tier vendors (when vendors you select in turn outsource your client data to a vendor that they select without your knowledge, e.g., disaster data back-up recovery sites, systems security, etc.) .
- Examine FTP sites in use. Third parties you work with may use their FTP sites for long-term storage.
- FTP sites should be used only to transfer current information. When old files are not removed, it invites cyber chicanery.
- “Risk rank” your firm’s data with client and proprietary confidential and non-public mission-critical data, respectively, ranked as high.
- You may want to segregate this data to a non-widely accessed in-house server and limit access to the data through application entitlement.
- Be aware of digital debris, or files that won’t go away when deleted.
- Do not use a cloud-based data retention service for mission-critical data.
- Engage an independent vendor to perform a risk assessment of your ISP and ongoing surprise penetration testing of your network.
There are a lot of cyber security experts who believe that the next major war between nations will not be fought with bombs, missiles and ground troops entirely but through cyberattacks to blind countries early warning and defense systems. Yes, it is a Brave New World that is moving quickly to a more computer and software-driven society with a reduction human capital dependency. The real question is: Are you prepared?
Asset Management Intelligence - February 2015