In the final, sleepy week of Summer on the 25th of August, the SEC adopted rule changes and additions to Form ADV which were proposed in May of 2015.
The justification for the scope creep of information and “big data” is to fill gaps in intelligence, modernize, and enhance information provided to both clients and the SEC. While some of the new disclosure requirements will be onerous, especially for advisers to SMA accounts at certain RAUM levels, we are most interested, naturally, in the SEC’s request for additional technology-related information: specifically, more data on the internet and social media presence of advisers.
A Deeper Dive on Internet Presence
The adopting release provides under Item 1.I that firms will now have to disclose all websites and all social media platforms in which the adviser has presence and controls content, such as LinkedIn, Facebook, Twitter, and so forth. Previously, the SEC had only required that advisers disclose their website address. The ongoing information grab was further explained in the release as follows:
“a primary purpose of this item is to provide the Commission and our staff with information that may be used in our examination program and for other regulatory purposes. Accordingly, we believe it will be useful to the Commission to have information on an adviser’s use of social media on Form ADV, and this placement in the form is an efficient and readily identifiable location for such information that appropriately serves our regulatory purposes.” Form ADV and Investment Advisers Act Rules, Page 38.
There isn’t much subtlety to the notion that the SEC will continue to push down the roads of examining internet presence for advertising miscues and violations. But we believe ultimately they will come around to issues of IT Security. We can also imagine that this aggregated information will be helpful to Blackhats conducting reconnaissance on financial services firms, as it is of assistance to in any information-gathering process.
Simultaneously, a report released by Proofpoint is making waves in the IT Security community for glaring statistics such as “Nearly 20% of social media accounts associated with ten major global brands are fraudulent.”[1] We won’t recount the entire report or detail but let it suffice that Proofpoint is finding that a significant number of corporate social media sites are phonies and perhaps put in place to draw information from unsuspecting consumers and potential clients/victims.
For the past few years, with mostly the Advertising Rule 206(4)-1 in mind, we have assisted advisers with putting draconian social media policies in place for their employees. Beyond the rule, however, we have always contended that the real concern is the amount of information individuals and firms are giving away which can be leveraged for social engineering attacks. In other words, the compliance juggernaut has largely missed the significance of social media as a path to breach.
The fact that social media has been viewed as a compliance issue for the past few years highlights the gradually thinning divide between IT and compliance, and certainly the SEC plans to continue its colonial charge into Cybersecurity. As the lens of regulatory scrutiny pulls ever-wider, we’d recommend these five points to secure your information:
Securing Your Public Information
- Review Corporate Websites for Unnecessary Personal Information. We understand that money management can be all about communication, but consider whether or not too much contact information (email addresses, direct phone lines, mobile phones) is absolutely necessary to the business model. Some of these pieces of information may be useful to hackers and social engineers profiling your firm to conduct phishing campaigns. Make this review of personal/business information part of the Risk Assessment process or a discussion point with the Information Security Committee.
- Conduct Risk-Based Vulnerability Scanning of your web properties to discover known weakensses. This should clearly be part of the program for any employee or client portals or web applications, and there can also be exploitable vulnerabilities associated with simple, informational websites. Include these potential attack surfaces in your Vulnerability Management Plan and get ahead of the SEC’s expanding expectations.
- Educate your firm personnel on social media use and maintaining privacy, especially when it comes to details of meetings, vacations, and logistic information which may also be useful to the clever social engineer looking to use knowledge of individuals to access your firm. Secure social media platforms, personal email, and web-based applications almost all have 2FA capabilities, which should be utilized by individuals. Roll some of these notions into your IT Security Training.
- Conduct Open Source Intelligence (OSINT) Review or the collection of information from publicly available sources (i.e. the internet) about your firm and personnel to verify that potentially useful historical information isn’t floating around out there. Experiment with a few searches on the Wayback Machine for general corporate info, and Shodan (“the world’s first search engine for internet-connected devices”), for the geeks, to identify devices with public addresses which might be better protected.
- Practice security from the ground-up if you are expanding/changing the firm web presence; meaning consider security and compliance early. Conduct due diligence on website hosting vendors and their security, development, and patching practices. We find at many firms that security of their website and web applications is an afterthought.
Conclusion
We are happy to discuss the adopting release, SMA disclosures, Umbrella Registration, and new Books and Records 204-2 requirements, which will become applicable for most registered investment advisers (those with December 31 fiscal year end) in their 2018 ADV updates. In the meantime and as the SEC scales up the exam process with respect to IT Security, we think it is a good idea to stay ahead of the current and most pressing area of focus, and better secure your firm.
References:
Adopting Release:
https://www.sec.gov/rules/final/2016/ia-4509.pdf
Proofpoint Report on Social Media:
https://www.proofpoint.com/uk/corporate-blog/post/Proofpoint-social-media-brand-fraud-report-uncovers-cybercriminal-trends-tactics-targets
Internet Archive Wayback Machine
https://archive.org/web/
Shodan:
https://www.shodan.io/
[1] Dark Reading – Emily Johnson: Social Media Fraud Spikes, Study Finds
http://www.darkreading.com/cloud/social-media-fraud-spikes-study-finds-/d/d-id/1326805?