Suggestions to Achieve Greater Maturity
On Monday, the SEC released “Observations” on the seminal 2015 Cybersecurity Examination Initiative or what they are now referring to as “Sweep 2.” While we find this document to be an unremarkable kitchen-sink of cyber-findings, the SEC has offered a concept for what they consider to be robust practices and perhaps a roadmap for achieving a higher level of Cybersecurity maturity for firms. We have reviewed the release and have distilled what we believe to be the key takeaways and suggestions for improving your program.
To the degree that observations on a near two-year old examination period are accurate or relevant is questionable. A whole new class of security tools is available, infrastructure and movement toward cloud-based services continues, and firms have been plodding forward on information security practices despite the SEC’s nearly two-year silence on the subject. This is not completely fair as the SEC did include Cybersecurity as a concern under “Assessing Market-Wide Risks” in the 2017 Examination Priorities and issued a more timely, May 17 Risk Alert on Ransomware in the wake of WannaCry attacks. There is progression in the SEC’s approach to Cybersecurity and now fourth Risk Alert, and the Commission has been clear that they are still finding facts and learning in an area of persistent high risk and developing regulatory scrutiny.
The SEC started the initiative with a clear focus on Policies and Procedures and fundamental identification and protection practices. IT security evolves organically from basic blocking and tackling of controls to more advanced practices such as monitoring/detection and testing/validation. The SEC’s understanding and corresponding expectations of financial services firms appears to be developing along similar lines – to a call for greater granularity and specificity in certain IT security activities.
Regulatory Compliance Basics
The Observations Alert is broken down into two sections of both considerations and findings:
How firms are managing their written policies and procedures, including noted successes and failures; and
More robust practices which should be considered at all firms.
The 75 responding firms included advisers, broker-dealers, and investment companies. The SEC concludes that nearly all are maintaining some degree of policies and procedures related to cybersecurity and protection of customer data.
Operating under the assumption that you have policies and procedures in place, the SEC expresses concern with respect to effectiveness. In other words, the Alert points to weaknesses that polices may be too general (perhaps indicating template or “off-the-shelf” varieties), polices may not be accurate or correctly mapped to practices, and finally, polices may not be adhered to. We view these as somewhat standard regulatory compliance concerns in the development of polices, recognizing that technology controls should have specificity.
Other standard compliance activities hit in the Observations include the concept that Trainings may not be mandatory of fully attended. Training is a requirement of Regulation S-ID, and we know that regulators will measure the strength and seriousness of your Compliance Program by such participation and documentation. The SEC is making clear here that, even if your firm is not subject to the full extent of Regulation S-ID, some degree of customized training should be provided and that all members of the firm should be required to attend.
Robust Elements
The Observations Alert can be simplified by understanding that your policies and procedures for IT Security need to be accurate and detailed, and the items listed under “Elements of Robust Policies and Procedures” should be put on the table at your IT Security, Compliance, or Risk Committee meeting and pondered.
While we do not intend to make observations on the Observations or comment on all items listed, we are summarizing items in what we believe to be key takeaways. This is the list of cybersecurity practices which impressed the SEC, some of which they have clearly called for in past releases and some of which represent the next steps for many firms.
Make sure you address Data Classification and, if feasible, classify risks. This should have already been clear as it was one of the five periodic assessments recommended in the Division of Investment Management’s Guidance from April of 2015. Vendor classification is mentioned in this same bullet, and there should be an understanding that your Vendor Management Program is risk-based.
All firms must have employee Onboarding/Offboarding policies and procedures which address access rights. No surprise here as the SEC addressed “Access Rights and Controls” in the Examination Initiative, however there are two bullets discussing employee roles/changes and termination. This is an area which is testable. “Let’s see your policy and Active Directory group and user structure.” We also know that this area is already being probed in the exam process.
Have a detailed Patch Management Plan which addresses deployment timing and validation. This concept is old as the hills and patch management is elemental to any program. The new focus here is driven by WannaCry and Petya/Not-Petya attacks, Microsoft releasing a raft of critical patches in the past two months, and the concept that businesses can be broadly vulnerable based upon common services and protocols. The SEC will be looking at patching reports with attention to critical security updates. This suggests that all firms should consider central administrative solutions for patching.
Create a Vulnerability Management Plan which includes detailed description of Vulnerability Scanning and Penetration Testing activities. The Observations note that only half of the investment advisers out there are conducting pentesting. There is also reference to the failure on the part of firms to mitigate high and critical-level findings. We view this as common sense, but mitigation and related patching has complexities and risks, so firms must manage these activities carefully. What you don’t want to do is leave identified risks unaddressed without some type of plan for mitigation. This is familiar regulatory territory covering new subject matter. If you have never conducted scanning or testing, come up with a reasonable plan for creating baselines and a risk-based, regular schedule.
Think about Monitoring, Detection and system-level visibility. Monitoring and detection capabilities, beyond centrally administered antivirus, have become more feasible from a cost and implementation standpoint. We often find ourselves asking the question, “do you have any monitoring or detection capabilities at the endpoint or network-level?” Or perhaps more simply, “could you detect breach?” We see this as the next horizon for the SEC, but there is a brief, albeit vague reference here to system auditing which is open to interpretation.
Address Mobile Device Management via specific controls and central administration. Leaving security validation in the hands of your employees for devices which access company email and resources is antiquated. We always speak with firms about having policy, requiring pins/passwords and remote wipe capability. This is another area which is easy to validate, and regulators are inquiring about this in examination.
If you don’t have one, you must create an Acceptable Use policy for employees which has some granularity. It’s not enough to have high-level IT security polices, you must address your employees, and this is part of education and training.
Reporting and Escalation must be addressed in your Incident Response and Recovery Program. Incident response cannot be credible without training employees about anomalous behavior and the reporting chain. Promptly reporting incidents and unusual behavior can also be the key to isolation and preventing progression of security incidents. This line of thinking derives directly from the Assumption of Breach (AOB) doctrine: breach is going to happen and rapid detection and response is critical. The SEC has underlined this as an important point and suggests that IRP’s should be more than general.
Conclusion
The 2015 Cybersecurity Examination Initiative is a well-structured document that provides six areas of focus for Investment Advisers, Broker-Dealers, and Investment Companies to incorporate into their IT Security Programs: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response. We have found this document to be helpful to clients in prioritizing complex subject matter, understanding potential regulatory scrutiny, and in improving Cybersecurity Programs. Putting this document on the table, even at this point, will assist you in addressing many of the Observations obligatorily provided by the SEC.
The Observations Alert makes clear the Grace Period for policies and procedures and raising your IT Security Program to basic levels has ended. The SEC is now offering a pointer to a higher level of granularity, testing, and validation, which we view as the natural progression in IT security.
If you have any questions about the adequacy of your program or policies and procedures, please feel free to contact us for discussion.
Informative References:
The SEC’s 2015 Cybersecurity Examination Initiative
https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf
The 2017 Examination Priorities
https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf
The May 17 Cybersecurity: Ransomware Alert
https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf
The Division of Investment Management’s April 2015 Cybersecurity Guidance
https://www.sec.gov/investment/im-guidance-2015-02.pdf