The Securities and Exchange Commission (“SEC”) recently published its sixth risk alert on cybersecurity since 2014. In this alert, the SEC focused on how its regulated firms protect themselves against ransomware risk. I previously wrote about the SEC’s last risk alert on ransomware here.
Ransomware is malware that stops a user from accessing either part or all of the data within their network or other systems until a ransom is paid. For ransomware to be effective, it must gain access to network data in some form or fashion, usually through user error, such as a user clicking a link, downloading a file, or doing something else which affirmatively provides the ransomware access to data. From there, the hacker typically encrypts data and demands payment to unencrypt it.
There are varying studies, but up to 90% of financial services firms, including investment advisers, broker-dealers and investment companies, report that they have been targeted by ransomware. The SEC also reports that these targeted attacks have gotten more sophisticated in nature over the last few years, which necessitates greater allocation of resources from firms to protect themselves.
A financial services firm must ensure its systems are safe and that it has done the requisite due diligence to ensure that it has protected its clients’ data. Frequently, that means the firm has to test the effectiveness of the solutions proposed and implemented by its third-party service providers, which can be difficult to do if the firm itself has limited knowledge of information technology (“IT”) systems. Unfortunately, there is not a silver bullet solution to this problem. Rather, it takes sustained effort from a firm to evaluate risks, respond to a changing environment and delegate tasks as needed. In its risk alert, the SEC provided some examples of policies and procedures that were effective at addressing these risks but made clear that this is not a “one-size fits all approach.”
Your firm should review the following items periodically with your IT provider and compliance counsel:
Incident Response Plans – These plans should be tailored to your firm and updated as new situations arise that require additional plans. It is helpful to scenario plan for different malicious attacks so that you are ready to respond to all of the types of threats that could harm your firm.
Resiliency Plans – Think about segmenting your networks to make it harder for the hacker to gain access to all of your various systems. It’s also important to have separate immutable backup storage, which will allow you to recover your data if your main data storage is compromised.
Training – Given the increasing sophistication of hacking attempts, the SEC expects your firm to have updated training, which helps your employees understand risky computer behavior. To that end, phishing testing is a useful tool to both train and gauge the risks posed by your employees.
Access – The SEC expects your firm to think about whether each employee needs access to all of the various systems you have or whether you can segment access for certain employees. Of course, the fewer people who have access to your firm’s most personal data, the less risk of an incident. Each year, your firm should review and re-certify the access privileges of your employees.
Network Defenses – This varies by firm, but you should consider and ask your IT specialist whether you need intrusion detection, vulnerability scanning, firewalls, or other systems to either prevent or detect intrusions.
Updates – Your firm should set all virus/malware scanning, patches to software, and any other important definitions on your systems to automatically update as there are constantly new updates that are critical to the security of your firm’s computer systems.
Century Compliance, LLC, provides stand-alone phishing testing and training programs for investment advisers. If you require assistance with reviewing, updating, or drafting the policies and procedures required to have an effective cybersecurity compliance program, or are preparing to be examined by a regulator, please contact Parker MacIntyre or our affiliated compliance consulting firm, Century Compliance, LLC, at (678) 902-4060.
Parker MacIntyre provides legal and compliance services to investment advisers, broker-dealers, registered representatives, hedge funds, and issuers of securities, among others. Our Investment Adviser Group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state laws and rules. Please visit our Investment Adviser Practice Group page for more information.