The Future of The SEC Exam is Here. How to Respond to the New Request.
Last week the SEC Office of Compliance Inspections and Examinations (“OCIE”) released its second Cybersecurity Examination Initiative; the first shot was fired in April, 2014 and was more commonly referred to as the “Cybersecurity Sweep Document Request.”
The 2015 version pushes down the road of 6 high-level areas of controls and information practices, includes a document request, and provides advisers and broker-dealers another raft of considerations.
While OCIE’s points are clear, our job at Artemis is to read between the lines of this second barrage, determine what actions advisers and broker-dealers should embrace, and attempt to predict the SEC’s next move.
Based on our discussions with advisers and broker-dealers, many of whom are just digesting last week’s initiative, OCIE’s efforts are effective on a number of fronts. The Exam Initiative, according to the SEC is designed to:
“build on OCIE’s previous examinations in this area and further assess cybersecurity preparedness in the securities industry, including firms’ ability to protect broker-dealer customer and investment adviser client information.”
While we are sure that all participants greatly appreciate the SEC’s diligent information gathering efforts, the release simultaneously puts all registered entities and members on alert regarding the mentioned subject matter. Similar to the first exam initiative, firms are already planning to utilize the attached document request as a roadmap to measure their own IT security programs and plan enhancements. We understand the onus this places on firms but, as a whole, we view it as a positive development if the initiative aids in addressing business, regulatory, and legal risk.
Six Information Practice Focus Areas
The following summaries and action points represent Artemis’s suggestions for approaching the latest Cybersecurity Exam Initiative:
1. Governance and the related emphasis on Enterprise Risk Management are here to stay, and firms with weak or no practices in these areas need to make amends. The SEC focus dates back almost five years. Recent guidance, including the FINRA’s Cybersecurity Best Practice Report of February 3, 2015 and the Division of Investment Management’s (“DIM”) Cybersecurity Guidance Alert, emphasize Governance and ERM. Further, the NIST CSF connects the dots between Cybersecurity Risk and Risk Management. A review is pertinent if you wish to gain a deeper understanding of the concept which is directly related to the Framework Implementation Tiers and the maturity of your IT program. We have also mentioned that questions related to Risk Management and Governance are likely first in line in standard SEC examination processes, and don’t forget that Risk Management is the first section of FINRA’s Risk Control Assessment (“RCA”). Consider, at a minimum, the following points with respect to governance:
- Evidence your Risk Management Process and the incorporation of cybersecurity risk considerations.
- Emphasize your Information Security Committee or similar mechanism, the participation of Compliance, IT, Legal, and Senior Management – and the connection to the Risk Management process.
- Understand how Senior Management and the Board of Directors are involved. This level of participation is actually mandated in Regulation SCI (Systems Compliance and Integrity) and may well be in the future for advisers and broker-dealers.
- Finally, assess the efficacy of your governance practices for management of cybersecurity risk. This is one the 5 periodic assessments recommended by the Division of Investment Management. Not only do you need a Risk Management structure, IT Governance mechanisms which are feeding into it, but a process to assess the process.
2. Access Rights and Controls are fundamental practices explored in the SANS 20 Critical Controls, every Security Standard and Framework published (including the NIST CSF), and should be documented in your Written Information Security Program. The SEC is stating that these information practices should be well-considered and documented at every firm.
- Many of these concerns can be addressed through employee Onboarding and Offboarding Policy and Procedures, which takes into account initial systems access and segregation on an as-needed basis, and employee role change and termination. Access levels and security should be structured and documented from initial hiring and through all permutations going forward.
- In the Windows-based environment, this means determining who owns ActiveDirectory user setup and control settings, all of which should be documented.
- The SEC is also interested in multi-factor authentication, customer logins, remote access, network segregation, and tiered access – all controls surrounding access and authorization.
3. Data Loss Prevention is broadly interpreted by the SEC to equate to any control or practice that prevents breach or data exfiltration. For example, patch management and system configuration, which will be examined, are not typically mentioned as DLP controls, but we understand the relationship: the failure of almost any system protection can lead to breach and data loss.
- Monitoring capabilities are the big issue here as the Initiative is looking for evidence of tracking data flows, into or outside of the firm by employees and third parties. How does your firm monitor for unauthorized data transfers?
The notion of DLP and some enhanced monitoring may be the most interesting aspect of last week’s release as it belies an expectation that firms, in addition to exercising robust, standard controls in the area of DLP, may need to consider some new solutions, technology, and applications, which means increased costs. We often recommend draconian controls with DLP in mind, such as restricting personal email use, locking down all removable media, prohibiting the use of cloud-based file sharing applications which work across devices. While such controls may be part of your DLP approach and policy, the SEC is stating that monitoring capabilities belong in the equation.
- The SEC also referenced the authentication of requested client fund transfers; again, a broad interpretation of DLP but this is a common approach from the regulators.
4. Vendor Management is perhaps the most widely mentioned area of regulatory focus this year, following well-publicized, third-party-induced breach at Target and JPMorgan. Please see our previous post: “Due Diligence – How CCOs Can Slay the Two-Headed Dragon” which covers all aspects of the SEC’s request plus market-based incentives for providing your own due diligence to institutional investors and business partners. The bottom line is:
- Create a Vendor Management Program which factors in initial and ongoing due diligence of third parties, especially those named as critical in your Business Continuity Plan.
- Monitoring of vendors, especially those who access your infrastructure and data, is critical and should be documented.
- Service Level Agreements should be detailed with understanding of data ownership, transference, and destruction. Other considerations include: confidentiality agreements, right to audit, breach notification; and security/BCP requirements.
- Vendor Management, like Compliance and IT, in general, is a risk-based undertaking. Prioritize your due diligence activities based on the criticality of the vendor, the type of data and systems with which the vendor interfaces, and assess risk related to vendor on an ongoing basis.
5. Employee and Vendor Training is another “reasonable” practice which is mentioned in all guidance, including the DIM, FINRA, previous Sweep, and so forth. Given the fact that access has been gained to many corporations through common email and employee exploits, you have to do it. Unfortunately and while lumping IT security training in with required annual compliance training is convenient, this may not cut it.
- The initiative mentions several areas including: physical training concerning laptop and device theft; unsecured internet connections; and email and internet protocols for clicking unknown links and attachments.
- The SEC expects training to relate to the job function. This makes sense, especially with employees who may handle or manage sensitive data, Personal Identifiable Information or Intellectual Property.
- The concept of Vendor training will, again, have to be addressed on a risk basis. This can be handled in a number of ways: ask critical vendors to join your training sessions; produce documentation specific to the vendor’s role; make sure vendors understand and work within your firm’s security requirements, policies and procedures.
6. Incident Response is at the top of the regulatory list, and we have known this for some time. See our post: “5 Basic Exam Questions of the Future” and Lyman Terni’s “Incident Response Planning.” Our readers know that we consider the Department of Justice guidance “Best Practice for Victim Response and Reporting of Cyber Incidents” to be one of the most important releases of the year. This is low hanging fruit for regulatory inquiry, as is the subject of your incident log and documentation of potential and actual incidents. Remember, there are rule-based requirements with respect to planning and logging if your firm is subject to Regulation S-ID (Identity Theft). The SEC wants to know the following basics:
- Do you have an Incident Response Plan, designated personnel and teams, and is this plan practiced?
- Have you conducted the first periodic assessment recommended in the DIM guidance?: determining the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses.
- Have you conducted your risk assessment of internal and external threats and created policies to decrease the risk of potential breach?
Artemis Takeaways
At this point, addressing the six areas mentioned in the current Exam Initiative would seem to be standard stuff, considered “reasonable” aspects of an IT security program at a critical infrastructure provider, which encompasses virtually all financial services companies. The SEC has created an expectation of documentation related to these areas and we make the following suggestions with respect to the Initiative:
- Put the Part 2 Exam Initiative on the table at your Information Security Committee or corresponding risk committee meeting. Utilize it to reinforce Governance structures and the role of Compliance in relation to IT – and the critical role of Senior Management and the Board.
- Review the 2014 Part 1 Exam Initiative, as the combination of these two Alerts, appears to cover the SEC’s current concerns; though the SEC disclaims this notion and states that other areas are open for duck season as well.
- Write down what your firm is doing on the 6 focus areas. Make sure there is an understanding with respect to these issues for key players and perhaps worked into the training agenda. Has your CISO or designated IT security person reviewed Part 2, or Part 1?
- Review the 5 recommended assessments in the DIM Guidance. No matter how you document your program, there will likely be an expectation that you evidence this analysis.
- Part 2 again references the NIST CSF, which is a manageable tool for helping your firm evidence and document the growing list of cybersecurity-related requirements. The NIST CSF is looking more and more like a standard which will help you demonstrate “reasonable” practices but can also serve as a market advantage to your firm’s valued clients and business partners.
Finally, we know for sure that we will all be discussing cybersecurity for the next few years as Exam Initiative results are published and analyzed and more enforcement hits the docket. Eventually, we expect specific or perhaps broad-ranging IT security subject matter to be built into the standard SEC and FINRA examination process.
The real takeaway is that the initiative is not going away, your firm needs to address IT security comprehensively, including its relationship to the Compliance function and the Senior Management/Board level.
Contact Artemis for assistance with End-to-End solutions for IT security and an approach to the demands on Compliance and your business.
For Further Reading:
DIM Cybersecurity Guidance Alert
FINRA’s Risk Control Assessment