In light of both the targeted sweep exams the expanded exam modules of the SEC, FINRA and state securities regulators on cybersecurity, and recent enforcement actions related to cyber breaches, it is important for financial firms to to step back and reassess their policies and procedures related to cybersecurity and the protection of customer identification. To that end, registered investment advisers and broker-dealers must implement a systematic approach to identifying areas of security vulnerability.
With this in mind, the following points are meant as a review and overview of the preliminary steps registered investment advisers and broker-dealers should take in achieving and maintaining an increased level of cyber security in the 2015 regulatory environment. While the list is not exhaustive, it is a starting point, and failure to meeting the minimum standards will subject firms to both regulatory exposure and substantial business cost and reputation in the event of a breach of customer data.
- Create a detailed inventory of your firms’ devices and systems including software and applications as well as catalogue the firm’s network connections from external sources. It is very important to know how your customers data flows through the organization, and the points (both internal or external) that the information might be susceptible to breaches.
- Make sure that the firms’ resources are protected, based on the sensitivity of the information stored. Ensure all devices, systems and applications have both restricted access and strong password protection.
- Perform regular risk assessments at least annually to identify potential new cyber threats and address any vulnerabilities in your firms’ current security systems. Risk management processes should incorporate the recommended standards set by National Institute of Standards and Technology (NIST) or International Organization of Standardization (ISO).
- Appoint a person to oversee the cybersecurity process, including the annual assessment, controlling access to sensitive data and risk management tools to appropriate personnel and overseeing the training and education of all staff members and customers in identifying and reporting potential security breaches.
- Encryption is now commercially available and should be utilized when transmitting customer, employee or confidential data electronically. In the alternative, confidential data should at least be redacted from documents and or the documents should be password protected. Additionally, in a recent SEC action, the SEC sanctioned a firm for not having encripted customer information that was located on its server, which steps up the game dramatically.
- Update policies and procedures to include who will be granted access privileges, which resources will be accessible to each business function, and the process of changing and/or removing access when an individual is transferred or terminated.
- Regularly schedule system updates to include software patches to improve security, internet function protection, and third-party system and service provider reviews. Separate security protocols should be in place for removable and mobile devices as well.
- Since the question is not if there will be a breach, but rather, when there will be a breach, you need to build a recovery process into your cyber security procedures.
The financial industry has a responsibility to its customers to provide a secure and well maintained business environment. While these best practices can be used as a guide, they do not account for all the fast-growing, ever-changing, and more sophisticated cyber threats that we see being unleashed on unsuspecting businesses and their customers.
Ultimately everyone must stay alert! If something seems suspicious, it probably is.