“An ounce of prevention is worth a pound of cure.”
The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued new guidance on January 27, 2020 which further addresses the cybersecurity risk set confronting regulated financial entities. The report provides visibility into OCIE observations pertaining to effective mitigation of primary cybersecurity risk sets, including:
- Governance
- Access rights
- Data loss prevention,
- Mobile security
- Vendor management
- Incident response
- Employee training.
OCIE acknowledges the unfortunate and well known truism attendant to the cybersecurity risk set: “Indeed, in an environment in which cyber threat actors are becoming more aggressive and sophisticated—and in some cases are backed by substantial resources including from nation state actors—firms participating in the securities markets, market infrastructure providers and vendors should all appropriately monitor, assess and manage their cybersecurity risk profiles, including their operational resiliency.” Following is a summary of the guidance.
Governance and Risk Management
Effective cybersecurity programs start with an appropriate tone at the top, conveyed by senior leaders that are committed to improving their firms’ cyber risk management capabilities to understand, prioritize, communicate, and mitigate cybersecurity risk.
OCIE noted the following best in breed governance attributes:
- Senior Level Engagement: firms devoted appropriate senior leadership attention to establishing and monitoring cyber risk management strategy.
- Risk Assessment: execution of a risk assessment protocol designed to identify, manage, and mitigate cyber risk sets, prioritizing cyber risk sets which should then be mapped to policy, procedure, and/or internal controls.
- Policies and Procedures: implementing written policies and procedures addressing key risks.
- Testing and Monitoring: comprehensive testing and monitoring to validate the effectiveness of policy and procedure.
- Hardwire Internal Control Protocol: immediately integrate testing and monitoring results into policy/procedure amendment protocol with direct management engagement.
- Communication: establish internal and external communication plans to timely disclose cyber related events to regulators, decision makers, customers and/or employees.
Access Rights and Controls
Access rights and controls are implemented to ascertain/ensure that appropriate users are designated for systems/networks and further, and to deploy internal controls which limit access to these authorized users.
OCIE observed the following best in breed access rights/controls policy attributes:
- User Access: define and enforce business rules which govern access to systems and data aligned with user responsibility and requiring periodic account reviews.
- Access Management: managing user access through systems and procedures that:
- limit access throughout employment cycle (i.e., employee onboarding, transfers, and terminations);
- separation of duties for user access approval protocol;
- re-certify access rights on a periodic basis, more often for high risk data;
- use of robust password protocol;
- use of multi-factor authentication; and
- revoke system access immediately for terminated employees/contractors.
- Access Monitoring: implementation of monitoring protocol which entails procedures that:
- monitor and log failed login attempts and account lockouts;
- ensure proper handling of customer requests for username/password changes;
- consistently review and log system hardware and software changes; and
- ensure that system/hardware modifications, patches/enhancements are documented with approval, implementation, and anomaly protocols.
Data Loss Prevention
Data loss prevention typically includes a set of tools and processes an organization uses to ensure that non-public information is not lost, misused, or accessed by unauthorized users. Data loss prevention protocol directly correlates to the data safeguarding provisions of Regulation S-P and the fiduciary standard of care.
OCIE observed the following best in breed data loss prevention protocols:
- Vulnerability Scanning: establishing a vulnerability management program that includes routine scans of software code, web applications, servers and databases, workstations, and endpoints both within the organization and third-party providers.
- Perimeter Security: implementing controls to monitor and inspect all incoming and outgoing network traffic to prevent unauthorized traffic. These capabilities include firewalls, intrusion detection, email security, and web proxy systems with content filtering. Implementing an enterprise data loss prevention solution capable of monitoring and blocking access to personal email, cloud-based file sharing services, social media sites, and removable media such as USB and CDs facilitate perimeter security.
- Detective Security: implementing controls which detect threats on endpoints. Control protocol should be capable of using both signature and behavioral based capabilities to identify incoming fraudulent communications thereby preventing unauthorized software or malware from running. Procedures should address system logging and enabling optional security features offered by third party software providers.
- Patch Management: establishing a patch management program for all software and hardware.
- Inventory Hardware and Software: maintaining an inventory of cybersecurity hardware and software assets which identifies asset function, location and responsible parties for security protocol and maintenance.
- Encryption and Network Segmentation: using tools and processes to secure data and systems, including:
- encrypting data “in motion” both internally and externally;
- encrypting data “at rest” on all systems including laptops, desktops, mobile phones, tablets, and servers; and
- implementing network segmentation and access control lists to limit data availability to only authorized systems and networks.
- Insider Threat Monitoring: implementing an insider threat program which identifies suspicious behaviors and provides escalation protocol to senior management by:
- increasing the depth and frequency of testing of business systems and conducting penetration tests;
- creating rules to identify and block the transmission of sensitive data (e.g., account numbers, social security numbers, trade information, and source code) from leaving the organization; and
- tracking corrective actions in response to findings from testing and monitoring, material changes to business operations or technology.
- Securing Legacy Systems and Equipment: verifying that the decommissioning and disposal of hardware and software does not create system vulnerabilities by using processes to:
- remove sensitive information from and prompt disposal of decommissioned hardware and software; and
- reassess vulnerability and risk assessments as legacy systems are replaced with more modern systems.
Mobile Security
Mobile devices/applications create unique cyber vulnerabilities often overlooked by cybersecurity risk management protocol. OCIE observed the following best in breed mobile security policy attributes:
- Implementing Policy and Procedure: implementing written procedures for use of mobile devices.
- Managing the Use of Mobile Devices: using a mobile device management (MDM) application or similar technology for the registrant’s business (email communication, calendar, data storage). If using a “bring your own device” policy, ensuring that the MDM solution works with all mobile phone/device operating systems.
- Implementing Security Measures: requiring the use of multi-factor authentication for all internal and external users of registrant information and data systems; implementing controls which prohibit printing, copying, pasting, or saving information to personal devices; retaining the capability to remotely clear data and content from a device when data is at risk.
- Training Employees: placing particular focus on mobile device security and emphasizing employee personal accountability pursuant to effective implementation of cybersecurity policy and procedure.
Incident Response and Resiliency
Incident response entails policy components which assure the timely detection and appropriate disclosure of material information pertaining to cyber incidents and the ability to assess appropriate corrective actions taken in response to such incidents. The capability to quickly recover from a cyber event and safely resume client service is an indication of plan resiliency and should be a critical component of the BCP.
Incident Response Best Practices
- Developing a Plan: developing a risk-based incident response plan for disruption scenarios including denial of service attacks, malicious disinformation, ransomware, and employee succession. Plan development should incorporate prior cybersecurity incidents and current cyber threats. Other plan attributes observed included:
- notification and response criteria;
- escalation protocol which is fully referenced in the governance structure of the firm (senior management, legal and compliance); and
- communication with key stakeholders and regulators.
- Addressing Applicable Reporting Requirements: policy requires procedures which entail full compliance with all federal and state cyber incident reporting and disclosure requirements and includes fully articulated law enforcement/client notification protocol, i.e., identify specific governmental, regulatory and client contacts. For example, the organization should consider contacting local authorities or the FBI if an attack or compromise is discovered or suspected. OCIE also referenced the importance of identifying and preserving any artifacts on network or operating systems which relate to the breach and sharing same with regulators/law enforcement.
- Assigning Staff to Execute Specific Areas of the Plan: designating employees and/or external resources with specific responsibilities to mitigate and respond to cyber incidents.
- Testing and Assessing the Plan: testing the incident response plan and potential recovery times, using a variety of methods including tabletop exercises. Testing protocol includes assessing plan efficacy post facto to a cyber incident and amending the incident response plan based on outcome experience.
Resiliency Best Practices
- Maintaining an Inventory of Core Business Operations and Systems: identifying and prioritizing core business services which inform registrant’s understanding of the consequences of key system/process failures. Effective resiliency procedures include mapping the systems and processes that support business services, including those over which the organization may not have direct control.
- Assessing Risks and Prioritizing Business Operations: developing a strategy for operational resiliency with defined risk tolerances. Strategic considerations include:
- identifying systems and processes that are capable of being substituted by peer systems during disruption;
- ensuring geographic separation of back-up data; and
- ascertaining the effects of business disruptions on both the institution’s stakeholders and other organizations.
- Considering Additional Safeguards: maintaining back-up data in a different network and offline; evaluating whether cybersecurity insurance is appropriate for the organization’s business.
Vendor Management
Controls related to vendor management include policy and procedures which address: (i) initial and ongoing vendor due diligence; (ii) vendor monitoring and supervision; (iii) assessing how vendor relationships are considered as part of the organization’s ongoing risk assessment process as well as how the organization determines the appropriate level of due diligence to conduct; and (iv) ascertaining that vendors with sensitive client information implement appropriate safeguard and security protocol.
OCIE observed the following best in breed vendor management policy attributes:
- Vendor Management Program: implement a written vendor management policy designed to monitor and verify vendor compliance with contractual security requirements. OCIE recommends that registrants leverage questionnaires based on reviews of industry standards (e.g., SOC 2, SSAE 18) as well as independent audits. Policy should retain procedures addressing vendor termination and/or replacement with focus upon cloud-based providers. Monitoring procedures also pertain to vendor service level changes, product offerings and personnel changes.
- Understanding Vendor Relationships: procedures should facilitate conversancy with all contract terms (rights, responsibilities, expectations, etc.) to ensure that all parties have the same understanding of how risk and security is addressed; understanding and managing the risks related to vendor outsourcing, including vendor use of cloud-based services.
Training and Awareness
Employee training and awareness on the cybersecurity challenges confronting the enterprise and the policy implications relative to mitigating these risk sets are critical. OCIE observed the following best in breed employee training policy attributes:
- Policies and Procedures as a Training Guide: training staff to implement the organization’s cyber policies and procedures and engaging the workforce to build a culture of cybersecurity readiness and operational resiliency.
- Use of Examples and Exercises in Trainings: providing specific cybersecurity and resiliency training, including phishing exercises to help employees identify phishing emails; including preventive measures in training, such as identifying and responding to indicators of breaches, and obtaining customer confirmation if behavior appears suspicious.
- Training Effectiveness: employee attestation to training attendance; evolve training with the current cyber threat environment and in response to enterprise cyber incident experiences.
Action Plan
OCIE’s message is loud and clear … preventing cyber incidents is the cornerstone of the registrant cyber program. With each pronouncement, the bar keeps creeping higher. Registrants are strongly urged to read the latest cyber guidance and sit down with internal and external IT resources to evaluate and evolve the cybersecurity program. Cyber risk management is like compliance … it is a journey, not a destination.
Follow this link: https://www.sec.gov/news/press-release/2020-20 to read the SEC’s press release and cyber guidance.