This may be one of those cases where regulatory expectation is just as important as the written Rule. The Division of Investment Management’s April 28 guidance used the following language:
“In the staff’s view, there are a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk.” Among these recommendations is the prominent suggestion to:
“Conduct a periodic assessment” in several key areas.
In our estimation the guidance is clear, and “may” suggests you certainly should add a manageable form of Risk Assessment to your firm’s lexicon and review process.
The Regulatory Basis
While the “may wish” suggestive language regarding Risk Assessments in the Division of Investment Management’s (“DIM”) recent Cybersecurity Guidance may sound wishy-washy or like a helpful tip, our speculation would be that in the event of a cybersecurity failure, one of the first questions you may hear from regulators is: “Were you performing regular risk assessments and can we see documentation?”
While we have just conducted a webinar discussing the DIM guidance, we think it is worth listing those areas emphasized for assessment:
Conduct a periodic assessment of:
- the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
- Internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- security controls and processes currently in place;
- the impact should the information or technology systems become compromised; and
- the effectiveness of the governance structure for the management of cybersecurity risk.
Please contact us if you would like elaboration or further discussion of any one of these chosen areas for periodic assessment, but the real point here is that the SEC has made the process of Risk Assessment fundamental to cybersecurity compliance. We should also mention that the concept of Risk Assessment was quoted in the statistical Cybersecurity Examination Sweep Summary of February 3, 2015, or the results of the Cybersecurity Sweep Document Request of April 2014 in the following manner under “Summary Examination Observations:”
“The vast majority of examined firms conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences. These broker-dealers (93%) and advisers (79%) reported considering such risk assessments in establishing their cybersecurity policies and procedures.”
“Fewer firms apply these requirements to their vendors. A majority of the broker-dealers (84%) and approximately a third of the advisers (32%) require cybersecurity risk assessments of vendors with access to their firms’ networks.”
FINRA’s February, 2015 “Report on Cybersecurity Practices” perhaps best summarized the importance of Risk Assessment in the “Executive Summary” and the relationship to larger processes like Governance under the following two points:
1. A sound governance framework with strong leadership is essential. Numerous firms made the point that board- and senior-level engagement on cybersecurity issues is critical to the success of firms’ cybersecurity programs.
2. Risk assessments serve as foundational tools for firms to understand the cybersecurity risks they face across the range of the firm’s activities and assets—no matter the firm’s size or business model.
We can go on concerning recent guidance which endorses the process of Risk Assessment, including SIFMA’s “Principles for Effective Cybersecurity Regulatory Guidance (October, 2012), however almost all recent guidance, across industries, discusses and endorses some form of ongoing Risk Assessment related to cybersecurity.
What is a Risk Assessment?
Our simplified definition of a Risk Assessment is the process of identifying and documenting asset vulnerabilities given the understanding of internal and external threats. While we will break this process down into simple steps, just understanding that you have a Governance process or mechanisms in place for repeatedly identifying Cybersecurity Risks should go a long way toward satisfying regulators and hopefully reducing business risk.
The granular Risk Assessment process, or assessing the risk of a specific assets such as sensitive information or your systems controls, is also directly related to your larger Enterprise Risk Management (ERM) process. For smaller and medium sized firms, the ERM process may be quite simple, committee-based, and dependent on available resources, but, nonetheless, all financial services firms, especially those governed by the SEC and FINRA, should have an overall risk management program in place, which identifies not only investment risk but operational considerations such as IT and cybersecurity risks.
There are several ways to conduct Risk Assessment and plenty of specific guidance out there. For example, if you are looking for a regimented, Framework-based approach to Risk Assessment see NIST Publication 800-30 “Guide for Conducting Risk Assessments (September 2012, link below). Such documentation can provide helpful ideas for approaching the Risk Assessment, but we would keep in mind that you always want to tailor the process to the size and scope of your business, making Risk Assessment a reasonable process to ensure its viability. If too complex or onerous, especially given the list of areas to be satisfied by regulators, your process may simply run out of gas or fail. Thus, the best practice suggestion in the DIM guidance and, of course, other Enterprise Risk Management frameworks that Governance structure, the process of Risk Management and Risk Assessment, itself, be periodically reviewed.
The Steps (keep it simple)
- Identify and document specific vulnerabilities – For example, do you maintain Personal Identifiable Information (PII)? Is adequate segregation of data on an as-needed basis in place? Do we aggregate system logs for the identification of anomalous behavior or at least post-breach forensic purposes? Have we implemented a new application which creates specific vulnerabilities such as access to customer accounts?
- Both external and internal threats are considered and documented with respect to the vulnerabilities you have identified in step 1 – Whether you use information sharing sources such as the FS– or other-ISACS or plentiful free resources, are you examining external threats specific to your business and infrastructure? We would also place special emphasis on examining internal or employee threats given the recent connection to the concepts of Fraud in the DIM guidance (see our previous blogpost: Fraud Breach and Insider Activity).
- Consider the potential business impacts and likelihoods for risks/vulnerabilities you have identified. This very standard notion of documenting Risks plus a rating for Impact and Likelihood (of occurrence) are the basics of constructing a simple risk matrix. In other words, use steps 1 and 2 to document specific risks. There is also a close relationship to Response and Recovery Plans and testing/documenting for such occurrences which leads to the final point.
- Risk Responses are identified and prioritized. Understand your biggest risks, continuously assess for the purpose of mitigation and effectiveness of controls, and know your responses. These concepts may have been made more important as a result of the recent DOJ Guidance also mentioned in our webinar: Best Practices for Victim Response and Reporting of Cyber Incidents.
We would be remiss in failing to mention the NIST Framework for Improving Critical Infrastructure Cybersecurity (“NIST CSF”) which concisely describes the relationship of cybersecurity risk assessment to the overall ERM or risk management process. Addressing Governance structures paves the way for a productive process but also sends the right message to regulators. Also note that the entire NIST CSF category (Risk Assessment (ID.RA) is dedicated to common risk assessment steps. In other words, this is another area in which the NIST CSF is helping you to assess and document risk management and business processes which are being emphasized by regulators.
Contact Artemis for free consultation and discussion of reasonable and cost-effective solutions to Risk Assessment other current cybersecurity and regulatory issues. 800-248-4100 or email: tim@artemissecure.com
Further Reading: (Links will open in a new window)
Division of Investment Management’s Guidance Update
Cybersecurity Examination Sweep Summary
FINRA’s February 2015 Report on Cybersecurity Practices
SIFMA’s Principles for Effective Cybersecurity Regulatory Guidance
NIST Publication 800-30 Guide for Conducting Risk Assessments