More Actions You Can Take to Buttress Your Firm’s Cybersecurity
With the SEC’s and FINRA’s cybersecurity sweep exams in full swing, consider inventorying your firm’s “information” to classify which data you regard as sensitive and which are not.
“You should create a list” of all of your information… and then “classify that information by its sensitivity,” recommends Vivian Maese, a partner with Dechert in New York. Next, ask what systems contain what information to know where your protection efforts must focus. For instance, you may elect to encrypt the highly sensitive data (e.g., client Social Security numbers) but leave public information (your firm’s address) undisturbed.
We’ve shared cybersecurity best practices before (IA Watch, March 24, 2014), which speak to the need to weigh the risks to your system from vendors and even clients. “Everybody is so connected now,” says Elizabeth Ferrell, a partner with McKenna Long in Washington, D.C. Be sure to tell clients that “you’re as vulnerable as we are,” she stresses.
A good place to start to devise a cybersecurity plan at your firm is with OCIE’s cybersecurity sweep letter (IA Watch, April 21, 2014). “Use it as a checklist,” recommends Catherine Anderson, counsel at Foley Hoag in Boston. Let its extensive queries pinpoint where you “need to beef up” your protections, she adds.
Do frequent risk assessments
Assessing your cyber risks annually may not be sufficient because the wired world moves so quickly. “By that time, I think it will be too late,” says Bao Nguyen of risk advisory services at IT consultant, Kaufman Rossin. in Boca Raton, Fla. He favors more frequent assessments.
A simple example of such risks may be that your firm’s data center that houses your server isn’t locked, says Jorge Rey, Kaufman Rossin’s director of information security and compliance. The control would be to lock it.
Other steps to contemplate range from installing an enhanced firewall, requiring staff to use strong passwords or even going to two-part authentications and keeping anti-virus software current.
More sophistication actions would be to conduct a vulnerability assessment and a penetration test, says John Leach, president/CEO of Winquest Engineering Corp.in Fort Meade, Md. The former involves looking for malware and ensuring security patches are current. The step also scans the system’s network and identifies all of the equipment connected to it.
A penetration test probes a firm’s network to gain access. It’s preferred over the vulnerability assessment because that can produce many false positives, says Leach. A penetration test can run from $7,000 to $50,000, depending on the size of the system. His firm prefers to conduct the penetration test from inside a firm “because it addresses the insider threat as well,” he says.
These aren’t one-and-done tests either. Leach recommends them annually. If this has smaller advisers choking at the costs, it just may be the price of doing business in the Internet world. “I don’t know if there’s any other way you can get around [spending on cybersecurity] now,” says Kimberly Kiefer Peretti, a partner at Alston & Bird in Washington, D.C.
A more drastic step
Winquest stands a stone’s throw from the National Security Agency, the government’s storehouse of secrets. Leach won’t say if his firm works with the NSA but it does serve government clients. He mentioned a drastic step firms could consider that may not be practical but is a strategy he firm uses: air gap. Essentially, this means keeping some computers off the Internet completely – even goodbye to Wi-Fi.
You also can try to limit the amount of sensitive data you keep. “The less we have … the less we have to worry about,” says Leach.
3 best practices to consider at your firm
Maese recommends three steps for advisers to improve their cybersecurity:
- Conduct background checks on employees. Cyber threats “more often” come from insiders, like careless, disgruntled or rogue employees, she says.
- Train staff to be on alert. Just as New York City taught residents to counter the threat of terrorism via its “see something, say something” campaign, you need to train staff to report incidents that open cyber risks.
- Manage your vendors. This begins with asking them what they do and “where in the world they do it,” says Maese. They may have computer systems outside the U.S. “in places beyond your reach.” Quiz vendors on their cybersecurity policies and procedures, how they process information and where and whether they conduct background checks on their employees, she adds.
Ferrell tells of a firm in which all employees’ sensitive data fell into the wrong hands because its payroll vendor suffered a breach. Reports now indicate that that infamous Target breach originated through a vendor.
Taking on vendors
Have vendors fill out a cybersecurity questionnaire that asks if they have P&Ps based on industry standards, whether their IT staff are in-house or outsourced, whether they conduct vulnerability scanning and keep logs of incidents. All of this gets “at whether these people have even thought about cybersecurity,” says Ferrell. Ask vendors if they control information on a need-to-know basis, suggests Maese. They also should do intrusion detection monitoring and test their plan. Put this in your contracts, she adds. If you can, visit with your vendors to examine their controls, says Anderson.
An alternative is to ask to see their Service Organization Control (SOC) report, recommends Rey. These come from outside auditors who would assess a firm’s cybersecurity protections. These reports can be expensive. If your vendor doesn’t have a SOC, “you should have in your contract the right to audit” the vendor’s cybersecurity program, says Rey. A shortcut would be to ask for a vendor’s cybersecurity policies and procedures. Look for when they were last updated. A good program would update theirs annually, he says.
Other options are to request a written attestation that the vendor uses software to ensure customer data are protected. Anderson prefers reps and warranties in vendor contracts. Rey says a small step would be to search online for any news that the vendor has been a victim of data intrusion.
You can use much of these same techniques for your firm – for when your business partners inquire about your cybersecurity protections.
Kiefer Peretti offers two final tips. Avoid the mistake of mandating the reporting of all data breaches only to IT staff; your firm’s leaders should know about these as well. And turn to industry forums for more ideas, such as the Financial Services Information Sharing and Analysis Center.
Bao Nguyen, CAMS, CFE, CRCP, is a Risk Advisory Services Broker-Dealer and Investment Adviser Services at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.
Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.