Small advisers struggle with cybersecurity demands of regulators

Many state-registered investment advisers think they are too small to be on criminals' radar

Cybersecurity remains a top concern of registered investment advisers, but smaller firms are struggling to keep up.

State securities regulators are concerned about a growing number of deficiencies related to cybersecurity at state-registered investment advisers, firms with no more than $100 million in assets under management. In the first half of 2019, state regulators found cybersecurity deficiencies in 26% of their examinations, up from 23% during the last series of coordinated examinations in 2017, according to a report from the North American Securities Administrators Association.

The most common problems were a lack of vulnerability testing, insufficient procedures around securing devices and internet connectivity, weak passwords and having no, or inadequate, cybersecurity insurance. MORE

75% of execs cite phishing as the most significant security threat to businesses

Training is the key to helping the enterprise avoid cyber threats from phishing or other means.

One of the most devastating things that can happen to a business is a cyberattack, but business executives are not confident employees have had sufficient security training, according to a CybeReady report released today, "The State of Security Awareness Training," which found 75% of execs to believe the most likely catalyst to a cyber attack is phishing.
 
CybeReady's report is based on findings from the Osterman Research white paper, "The ROI of Security Awareness Training." Phishing attacks topped the list of concerns for decision-makers with nearly 75% of executives citing phishing emails as the most significant threat. Those executives regard training as a better way to deal with this threat, but approximately 60% of users receive training less than once a quarter, meaning organizations are not being adequately trained, even with current solutions.
 
The most relevant finding of the report is that "Learning by doing is the most effective principle in adult learning," said Shlomi Gian, CEO of CybeReady. "As adults, we do change behavior when we make a mistake and that's the best way to get our attention."

Security awareness training is designed to bolster users' ability to recognize threats, such as phishing attempts, unusual requests that claim to be from the company's CEO, malicious advertising on web pages and more, threats designed to make users vulnerable to hacking, and subsequently, wreak havoc within an organization. 

The report highlights executive concerns with phishing, business email compromise (BEC) and the unsatisfactory results, despite an increase in investment and effort. The study revealed that 58% of decision-makers view awareness training as superior to technology solutions when dealing with phishing and awareness training budgets are quickly increasing, faster than security budgets. MORE

11 Ways Employees Can Be Your Weak Link for Cybersecurity

With some creative tips to help engage and educate your employees on cybersecurity

Each year, incidences of cyberattacks on companies are increasing with the intent to steal sensitive information. There are cybersecurity tools made to protect organizations, but many of these tools focus on external attacks, not internal weaknesses. Many security systems do not focus on the possibility of employees unknowingly becoming a security threat and do nothing to mitigate accidental internal threats. Employee cybersecurity is an important issue.

The 2018 Insider Threat Report asserted that 90% of organizations are likely to be
attacked or exposed to attacks through an insider, and more than 50%
experienced an attack through an insider. Furthermore, about 44% of top
companies are exposed to potential threats as a result of exposure of passwords
on the internet by their employees or theft of login details.  READ

The Need For Overhauling Cybersecurity In A Post-Reg BI Landscape

The recent passage of Reg BI comes at a time when the advisor-client relationship is already becoming more collaborative, open and transparent. The future of advice will be one in which clients are empowered by technology to work with their advisors to take further ownership of their financial lives.

In this new world, advisors are not only expected to have their clients’ best interests foremost in all that they do, but are increasingly expected to be accessible at virtually all times via a broad range of communications channels, including mobile devices, online collaboration tools and third-party websites. It’s a foundational evolution for our industry and a generally positive shift that will allow advisors to serve more clients and offer them better service than was possible even a decade ago.

But there’s a catch: The more an advisor-client relationship grows, the greater the risks for the client’s sensitive personal data. Long gone are the days when crucial information sat in a filing cabinet in an advisor’s office, where only a handful of people had access. Now, with documents and other data available to clients and advisors on demand through a range of technology-driven devices and digital channels, sensitive information has become more accessible and easier for cyber thieves to compromise.

In addition, the practice of sharing sensitive data with third-party partners introduces another area of potential vulnerability, even when these partners are well-known vendors. This was recently demonstrated when leading CRM provider Redtail found that it had inadvertently made client information stored by advisors on the company’s CRM software easily accessible to hackers and others online.

Cyber-criminals are also getting increasingly sophisticated in their attacks, moving “downstream” from comparatively well-protected targets like large retail banks and wirehouse broker-dealers to the independent financial advice space, where under-investment in cybersecurity by some firms has left detailed troves of client data relatively accessible. One well-known example in the advice industry was the attack on a large financial institution in 2016, in which the personal information of 5,600 clients was stolen.

Post-Reg BI, this case is even more relevant because it also demonstrates regulators’ recent shift away from offering corrective guidance to firms whose cyber-protections have been compromised and toward imposing punitive fines: the company above not only suffered from lost trust and business as a result of the breach, but was assessed a $1 million penalty by the SEC.

With all these factors in mind, it’s increasingly crucial for IBDs to overhaul their approach to cybersecurity in the post-Reg BI landscape to continue to drive the benefits of technology that advisors and clients want, while keeping everybody protected against cyber criminals. Following are three considerations for any cybersecurity overhaul:

• Prioritize cybersecurity as a core part of the firm’s operating plan. For advisors to realize the vision of the future advisor-client relationship and harness all the value it potentially can bring, broker-dealers must make safeguarding client data a core part of operations and invest in cybersecurity measures in a holistic, top-down and adaptive way that is baked into their strategies at every level.

• Understand that cyber-defense is an arms race that requires continuous focus. As the regulatory and threat landscapes continuously evolve, it is crucial that IBDs maintain an ongoing focus and dedicated, layered approach to cybersecurity. There is no silver bullet for combatting cyber crime, and as technology continues to advance, so will the risks and vulnerabilities. Independent financial advice firms also need to leverage their size and scale to marshal resources and build more comprehensive solutions to anticipate and effectively combat cyber threats. By creating a flexible central technology chassis onto which new solutions can be easily added and old ones removed, firms can quickly identify and close gaps in their defenses.

• Seamless integration of cybersecurity in terms of training, surveillance, continuous testing, devices and software is critical. IBDs should bring together each of these different areas that collectively comprise a holistic cybersecurity defense rather than spending money buying pointed solutions or services that don’t integrate.

Beyond technological solutions, firms should reinforce to advisors that corporate and home-office personnel are on the same page with them in their goal—to protect advisors and clients and put advisors in a position to thrive. To that end, firms should collaborate closely with advisors to ensure they fully internalize best cybersecurity practices into their infrastructure and operations.

The shift toward an expanded advisor-client relationship in the post-Reg BI landscape has already begun. Both sides have come to expect a higher level of accessibility, convenience and transparency in their engagements, but neither would be served well by an “every advisor for themselves” approach to combatting cyber threats.

To accommodate the gamut of cyber preparedness and raise everyone to the same high standard—from smaller practices, to branch offices, to home offices—firms should take full advantage of their scale, resources and reach to implement a unified approach to cybersecurity that is both integrated and highly adaptable. READ

The North American Securities Administrators Association (NASAA) maintains state securities regulators are concerned cybersecurity deficiencies are rising among investment advisers.

“Cybersecurity is a priority for state securities examiners,” Michael S. Pieciak, NASAA president and Vermont Commissioner of Financial Regulation, said. “Smaller companies are the low hanging fruit for cybercriminals, and when you consider more than three-fourths of the nearly 18,000 state-registered investment advisers are one to two-person shops, it is clear how important cybersecurity should be for these small businesses as well.”

The NASAA’s effort to garner feedback from state-registered investment advisers in 41 jurisdictions between January and June 2019, determined state examiners found deficiencies relating to cybersecurity in more than one-quarter, or 26 percent, of their examinations, which they said represented an increase of 23 percent during the last series of coordinated examinations in 2017.

“We encourage state-registered investment advisers to review their cybersecurity practices to ensure compliance and to take advantage of the free cybersecurity checklist offered by NASAA to help gauge their cybersecurity preparedness,” said Andrea Seidt, chair of NASAA’s Investment Adviser Section and Ohio Securities commissioner, said.

State securities regulators have regulatory oversight responsibility for investment advisers with assets under management of $100 million or less, officials said, adding included in this year’s coordinated examinations, 67 percent had assets under management between $30 million and $100 million and 33 percent had assets under management of less than $30 million. READ

Small advice firms show increase in cyber-related issues

State-registered investment advisers are showing more deficiencies related to cybersecurity but are improving their compliance in many other areas, such as books and records, fees and supervision, according to state securities regulators.

In its latest coordinated exams of investment advisers, the North American Securities Administrators Association said regulators found cybersecurity problems in 26% of the reviews, compared to 23% in 2017, the last time coordinated exams were conducted.

Regulators in 41 states conducted examinations of 1,078 advisers between January and June. They released the results Sunday at the NASAA annual conference in Austin, Tex.

This year, 292 advisers were being reviewed for the first time. State-registered advisers have less than $100 million in assets under management. About 67% of those examined had AUM of more than $30 million and 33% had AUM of less than $30 million.

Cybersecurity deficiencies included inadequate insurance, lack of vulnerability testing and weak or infrequently changed passwords.State regulators have put an increasing emphasis on cybersecurity. It was not even a category in 2015 exams. Earlier this year, however, NASAA released a cybersecurity model rule.

"Smaller companies are the low hanging fruit for cybercriminals, and when you consider that more than three-fourths of the nearly 18,000 state-registered investment advisers are 1- to 2-person shops, it is clear how important cybersecurity should be for these small businesses as well," Michael S. Pieciak, NASAA president and Vermont Commissioner of Financial Regulation, said in a statement.

The coordinated exams indicated the biggest area of compliance problems for investment advisers was books and records (59.5% of exams showed at least one deficiency) followed by registration (49.5%), contracts (43.9%), cybersecurity and fees (20.7%). But the number of deficiencies in every category other than cybersecurity are lower than they were in the 2015 exams — and in many categories also lower than reported in 2017.

"Cybersecurity is the exception because that is a new area," said Mike Huggs, director of the Mississippi Securities Division and head of the coordinated exams. "I would expect deficiencies to be on the rise, as both regulators and registrants are coming to grips and learning about cybersecurity." MORE

Cybersecurity Evolving to Cyber Resilience

How Your Business Can Achieve True Cyber Resilience

Cyber resilience has lately become an industry buzzword.

Indeed, it is a highly important concept that should not be missing from your organization’s security strategy. In fact, your entire cyber security plan should be built on the pillars of cyber resilience.

Of course, you are already prepared for data breaches and cyberattacks. But what happens if disaster hits you? Will your business still be able to function properly? That being said, organizations should be fully aware of what cyber resilience means and how it can be achieved.

What is cyber resilience and how to achieve it

If you aren’t sure what cyber resilience is, you’re not alone. There are multiple definitions, however, here is a brief explanation of it:

What is cyber resilience?

Cyber resilience is an organization’s capacity to avoid, prepare for, respond, and recover after it has been hit by a cyber attack.

Essentially, it is a matter of how an enterprise reacts to data breaches and cyber attacks, at the same time successfully managing to continue its daily operations. Businesses today are forced to function in an ever-evolving threat environment, where traditional security practices are simply not keeping up. Thus, they need to shift their focus to a more pragmatic approach and resort to cyber resilience strategies to guarantee their continuity.

Why does cyber resilience matter?

Building a higher and bigger ‘fortress’ around your enterprise is a common practice that is often failing, as threats are constantly adapting. For instance, if your employees are targeted through social engineering practices, they are likely to willingly, yet unknowingly, give away your most sensitive information, transfer money to cybercriminals, or provide login credentials.

Let’s put it this way: the human body deals with health issues. Suppose someone catches chickenpox. Once the body is infected, the immune system will trigger an alert and start the recovery process. The rest of the body will keep functioning, although some parts of it may not function to their fullest potential.

Nonetheless, it will keep working. The antibody that was created by the immune system to remove the chickenpox will remain in the body and the next time this virus tries to make the person sick again, the antibody will be prepared. It will instantly stop the infection from developing.

Similarly, cyber-resilient companies should be able to protect themselves, and if the protective measures fail, they should adapt, survive, and learn from these events to successfully stop others in the future.

The number of malware infections and cyberattacks has skyrocketed in recent years. Under these circumstances, we are no longer in the position to ask ourselves if our organization will be attacked, but try to anticipate when it can happen, how, and by whom.

Think of the costs involved in repairing the damage.

The Ponemon Institute noted that 1 million breached records would translate into losses of roughly $39.4 million for businesses. But when using cyber resilient practices, IT security departments quickly detect and mitigate potential threats before they spread, at the same time lowering costs.

However, the consequences of data breaches and attacks aren’t only to be looked at from a financial standpoint. The implications extend to a broader spectrum, covering repetitional damage as well. In terms of reputation, it will be highly challenging to regain your customers’ and the general public’s trust after a data breach. Eighty percent of consumers in developed nations will abandon a business if their personal information has been leaked in a data breach.

Cyber security and cyber resilience: what’s the difference?

Simply put, cyber security refers to the defensive measures meant to keep malicious actors away when they’re trying to break into your IT systems. This is a basic cyber security tip that will prevent most of the attacks.

On the other hand, even though heavily connected to cyber security, the cyber resilience concept emphasizes the way an organization responds once an attack takes place. Therefore, an important aspect of cyber resilience is that it implies you are capable of continuing your normal business operations despite adversities.

Cyber security and cyber resilience should not be perceived as standalone concepts, as they are without doubt overlapping and greatly depend on each other.

Cyber SecurityCyber ResilienceFocused on preventing cyberattacks by all possible means.Centered around the idea that incidents could happen anytime, so while it’s ideal to prevent them, you should always be capable of continuing your operations in spite of difficulties.

In other words, cyber resilience is based on a holistic approach that outweighs cyber security.

6 steps to create a complete cyber resilience program

It’s time for organizations to transition from a classical information security approach to one of cyber resilience.

According to the NIST Special Publication 800-160, cyber resiliency should be based upon four high-level goals: AnticipateWithstandRecover, and Adapt.

 

In short, you need to be conscious of the current threat landscape and be able to anticipate future dangers. You are also required to have the appropriate processes in place if cyber disaster strikes, so your business is not disrupted. Or in any case, be able to recover promptly.

Here are the steps that will pave your way to true cyber resilience:

1. Evaluate your environment

Start by asking yourself a few vital questions, such as:

  • How vulnerable is your organization to the current threat scape?

  • Where is your data stored? Who has access to it?

  • Do you update your operating system and software as soon as new patches are available?

  • Do you provide cyber security training sessions for your employees?

  • Are you aware of the existing vulnerabilities in your systems?

  • Do you have Penetration Testing programs in place?

Of course, these are merely a few questions. Your evaluation should be much more extensive. If you don’t have the proper resources to conduct an in-house analysis, you can always choose to collaborate with third-parties.

For instance, CISA’s Cyber Resilience Review (CRR) is a free, non-technical assessment that will help you evaluate your cyber security practices. Designed to determine your existing organizational resilience and to offer a gap analysis for improvement, the CRR evaluates programs and practices across domains such as risk management, incident management, service continuity, and others.

2. Develop your defense and prevention plan

As I’ve already pointed out, having the right means of protecting your environment and avoiding cyberattacks is mandatory when following both the cyber security and cyber resiliency philosophies. Some of the common risks you should be prepared against are malware, insider threats, business email compromise (BEC), phishing/social engineering attacks, DDoS (Distributed Denial-of-Service) attacks, and more.

So, here are some elements you should include in your protection and prevention plan:

  • An Endpoint Detection and Response (EDR) solution

  • Firewalls

  • Privileged Access Management software

  • Encryption software for your stored and transmitted data

  • Security software for your mobile devices

  • An email security solution

  • Strong authentication methods

Related: Unsure which encryption software is the right choice for you and your needs? Check out this list of your options, brought to you free from G2!

Ensure the defense tools you’re using are proactive rather than reactive. Employ artificial intelligence and automated security software whenever possible. Study threat intelligence reports so you can better understand the cybercriminal business model and stay ahead of threats.

3. Design a backup and recovery plan

If your organization is under attack, is all your vital information backed up so you can effectively resume your operations? Make sure you follow these steps to quickly get your business back up and running:

  • Conduct an inventory of all the assets that should be backed up and recovered in case of a cyber emergency.

  • Decide how often you should perform database backups.

  • Choose the physical locations of your data centers. Ideally, they should not be in the same geographical area, because if an entire region goes down, all your digital assets will be lost.

  • Regularly test your backup and recovery processes to be certain they work.

4. Have a Penetration Testing program in place

Ethical hackers will help you discover any cyber weaknesses in your organization. This means you should have someone try to ruin everything you have created before malicious actors get the chance to break into your IT environment.

Another important aspect that should not be forgotten is your people, as they must be tested as well. Why? Because they can often be exploited and allow cyberattacks to take place without their knowledge. For example, you can simulate social engineering campaigns (send your employees phishing emails) and observe their behavior.

This point brings us to the next essential step in your cyber resilience plan.

Related: Looking to test vulnerabilities within your computer system, but unsure which penetration testing software you should choose? Check out your options with our exclusive roundup.

5. Train your employees

Cyber resilience is all about approaching information security in a way that encompasses both technology and people.

While it may be simple to have a single person or a team responsible for your cyber security, that will prove to be an awful practice. In a cyber-resilient organization, communication needs to be facilitated across all lines of business. All your employees must be aware of cyber threats and be properly trained and familiar with the cyber security best practices.

In essence, ongoing cyber security education is key. Untrained employees can be your highest threat, while educated people can ultimately prove to be your best defense against intruders. Foster a positive cyber security culture, where everyone is encouraged and supported to learn and report suspicious behavior.

6. Adapt, learn, and predict

To demonstrate a true cyber resilient behavior, your organization must be able to adapt in times of change. Another crucial phase is to learn from past attacks and be able to determine in due time when similar events will take place.

Based on what you have learned, make the necessary adjustments in your cyber resilience strategy. Find ways to better address environmental changes and modify systems to reduce future risks.

Who should be responsible?

Your cyber resilience transformation should start from the highest levels of your organization. First of all, your key decision-makers need to be in sync with regards to your cyber resilience messaging.

Secondly, even if everyone is ultimately responsible for sustaining a cyber-resilient culture, business leaders need to be advocates for cyber-resilient practices and ensure that cyber security education is an ongoing process.

3 takeaways for your cyber resilience strategy

  • Cyber security is mostly about defense and reaction, while cyber resilience more about anticipation and continuity.

  • Create your IT systems in such a manner that even if malicious actors manage to break into your environment, your business operations continue without interruptions.

  • Choose a proactive approach over a defensive one and advocate for cyber resilience by design.

Bottom line

Start practicing cyber resilience, don’t limit yourself to cyber security.

Cyber resilience strategies will truly put digital security at the core of your business. Nurture an environment where the newest and most advanced threats are tackled with proactive defenses. Start using efficient strategies that will keep your organization in a functional state even in times of a cyber disaster.

Challenge the way you think about cyber security. Change your mindset to achieve true cyber resilience. READ

9 cybersecurity steps the SEC wants to see

The SEC's cybersecurity punch list

The SEC has made no secret it expects advisors and brokers to ramp up their policies and procedures to guard against cyberattacks. Now, after a second wave of examinations focusing on firms' defenses, the commission's Office of Compliance Inspections and Examinations has produced a risk alert detailing the do's and don'ts for firms.

  1. Know your weaknesses

    OCIE examiners praise firms that have "taken a complete inventory" of their data and information assets, and identified the potential risks to their systems, including those that could arise from third-party vendors.

  2. Stick to the plan

    While almost every firm conducted some type of risk assessment, SEC examiners found that some were failing to adhere to their own policies. For example, many firms had policies calling for annual or ongoing security reviews, but in practice conducted those evaluations less frequently.

  3. Make it specific

    Too many firms seem to be relying on off-the-shelf checkbox compliance programs that are downloaded from the internet, OCIE examiners found. Some firms were relying on policies that were vague and not "reasonably tailored" to the firm's operations, meaning they were of limited value.

  4. Set your staff straight

    OCIE found that some firms "created contradictory or confusing instructions for employees" that could put cybersecurity concerns at odds with the business operations. In particular, the commission learned that some firms struggled with inconsistent policies governing remote client access and transferring funds.

  5. Follow through on employee training

    While firms typically required employees to undergo cybersecurity training, OCIE found that some did not actually ensure that those sessions were completed.

  6. Keep technology up to date

    Some firms were falling down on system maintenance, the OCIE reported. They used older, unpatched operating systems and failed to address the vulnerabilities identified in the penetration tests that they conducted.

  7. Lock down access to systems and data

    The firms that maintained strict policies governing who has access to what type of data were ahead of the game on cybersecurity, the OCIE found. Successful practices include "acceptable use" policies clarifying employees' responsibilities when using company systems, and promptly shutting down access for employees when they leave the firm.

  8. Have a response plan

    OCIE praised firms that had a plan for how to respond to a cyberattack. If hackers breach systems and compromise sensitive information, the firm can minimize the damage by having a protocol for what actions to take and whom to contact.

  9. Set the tone from the top

    OCIE indicated that members of a firm's senior management must be involved in vetting and approving cybersecurity policies and procedures. In other words, cybersecurity must be considered first and foremost a business priority. READ

Solving the Cyber Security Problem: Mission Impossible

Why nothing is working in cyber security? 

I spend a fair amount of time in my current role thinking about future cyber-attacks. Some folks may call this “threat modeling” or even “cyber threat intelligence.” I recently had several revelations about cyber security which although not as nearly as spectacular as say the Book of Revelation written by Saint John of Patmos, are worthy of recording and talking about.

Revelation 1: “I’m from the government and I am here to help.”

It appears to me that most western governments are hypocritical when it comes to cyber security. On one hand, a lot of government organizations and funded projects seeks to strengthen cyber security defenses. On the other hand, those very same government organizations are calling for encryption backdoors and within the intelligence and law enforcement communities, hell-bent on eroding an enshrined right to privacy. This duplicity is understandable.

Nation-state motivations regarding cyber-crime are questionable at best and a conspiracy at worst. The Ouroboros or uroborus (/ˌ(j)ʊərəˈbɒrəs, uːˈrɒbərɒs/) is an ancient symbol depicting a serpent or dragon eating its tail – this describes the essence of the problem.

Cybersecurity Ventures predicts global spending on cybersecurity products and services will exceed $1 trillion cumulatively over the five years from 2017 to 2021. No nation-state has the desire nor-motivation to put a 1-trillion-dollar industry – built on cybercrime activity – at risk. The conclusion is we can expect very little in the way of impactful action against cybercrime and organizations small and large will continue to face cybercriminal threats to drive a 1 trillion-dollar global cyber security industry.

Revelation 2: “You need product X to protect from attack Y”

A widely accepted cyber security truth, substantiated by multiple vendor reports and think tanks like SANS indicates a vast majority of impactful cyber-attacks occur as a result of a phishing email. Despite best efforts of email service providers and email filter’s we still receive dangerous email; containing malicious links or malicious attachments.

Of course, this does not invalidate the entire cyber security industry products and services that have nothing to do with email; but, if email defenses are not part of your security strategy, that decision is not supported by any factual analysis of the most common attack vector used by malicious threat actors

Ongoing user training is according to research the least cost yet highest-impact security control business can establish. Rather than promoting it, many businesses are paying lip service to user training delivered once a year through a dated powerpoint.

According to the FBI (PDF), the fastest growing trend in cybercrime is the business email compromise (BEC). BEC is akin to a social engineering attack which seeks to create a sense of urgency to wire transfer funds or change banking information.

It is almost impossible to prevent a BEC attack on your organization through technological means. Only “BEC aware, security trained staff” and an out-of-band authentication process has any hope of stopping this type of attack.

It should be noted as well that the GDPR, PCI DSS, and HIPPA all have user training requirements due to the staff members potential exposure to sensitive data or cardholder/banking details. Again, if your user security training program is not a priority, there is a substantial chance you will be victimized by ever-evolving cyber-attacks that use social engineering as a foundational technique.

Revelation 3: “Your business is the cyber security problem and the cyber security solution”

This is perhaps the largest and most radical idea I’ve ever consider proposing but it’s based on the idea that the current cyber security challenge has little to do with cyber security controls or their effectiveness. As I see it, the arch-nemesis of cyber security is complexity and technological debt.

Physical network complexity in the small and medium enterprise space (SME) is fairly simple. Internet, Firewall, Internal Network – that’s it. The larger enterprise may be more complex adding a DMZ and perhaps links to other offices or business partners. The relatively simple physical model has not changed very much since the very beginning of connectivity. Logical complexity, on the other hand, has exploded – mobility, hosted services (SaaS) and hosted infrastructure and platforms (IaaS, PaaS) have all conspired to eliminate any semblance of a security perimeter. 

Technological debt is amplified by logical complexity. The vast majority of organizations are a Hodge Podge of new technology and old legacy systems. Sure, some folks will claim that they are “so out of date they are un-hackable”. That may be the case but, I would say to those folks “What is your disaster recovery capability if your legacy hardware finally packs it in?.” Usually, those questions drain the color from their faces. 

As IT professionals we know that not all version of Windows, macOS, and UNIX can run all software apps. We also know on the client side there are many dependencies on 3rd party apps like Adobe & Java to support those old systems. A quantum leap in security is achieved by supporting technological roadmaps which target legacy systems which are difficult if not impossible to secure.

If for instance, your organization has an old vulnerable “Citrix” system working with the business to move to something more modern (such as remote desktop services) and decommissioning the “Citrix” is going to be more impactful to your security than buying a new security control. Moving your XP, VISTA, WIN 7, 2003 and 2008 machines to 2012 and Win10 will do more for your organizational security than deploying an expensive anti-malware solution. 

The key takeaway here is a technological road map combined with a coherent digital transformation strategy may actually be more impactful to cyber security than the purchase of more cyber security controls for your organization. The added bonus of this approach is a reduction in complexity which yields greater predictability with the environment. If complexity is reduced and predictability has increased the deployment of security tools becomes incredibly more effective at detection and prevention of cyber-attacks. READ


Ransomware, Data Breaches Expose Gaps in Cyber Insurance Market

As U.S. companies grapple with cyber crime costs, indiscriminate ransomware attacks, and hundreds of millions of dollars in data breach fines, many seek protection in a normally predictable bet—insurance.

But some companies have discovered the hard way that policies can be filled with gaps and exclusions. Some don’t cover all regulatory fines and penalties. Others may cover ransom payments made to end certain attacks, but not all the long-term damage to systems caused by the attack. 

And in two ongoing court cases, insurers are contending that “war’’ exclusions allow them to not cover cyber attacks linked to Russian state actors. 

“It’s not like car insurance and house insurance and the flood industry,” Scott Shackelford, law professor and cybersecurity program chair at Indiana University Bloomington, said. “It’s too early for an industry standard.” 

Reports from insurance broker Marsh and the Council of Insurance Agents & Brokers indicate that at least one third of companies have adopted cyber liability policies in 2018, up from around a quarter in 2016. Cyber insurance can shield companies from millions in losses if a plan is purchased with attention to each aspect of coverage, insurance experts and brokers said. 

As cyber liability policies continue to develop, insurers globally see technology and cybersecurity as the first and second largest risks facing the industry in the next two to three years, according to a July report from the Centre for the Study of Financial Innovation and PriceWaterhouseCoopers. 

“Really the issue now is that making sure the policies they are buying is mapping up to the risks they face legally should the incidents occur,” Ryan Sulkin, a cybersecurity attorney and partner at Michael Best & Friedrich LLP, said. 

AXA US and and American International Group Inc. are among those leading the market in direct premiums written for pure cyber insurance, accounting for $488 million in premiums last year, according to a June report from credit-rating agency A.M. Best Co. Inc. The top policy writers for all types of cyber coverage are The Hartford Financial Services Group Inc., Liberty Mutual Group Inc. and Farmers Insurance Group. 

Cyber premium volume exceeded $2 billion for the first time in 2018, and the total number of cyber insurance claims surpassed 10 million last year, according to the report.

So far, it’s been a highly profitable business. While losses have risen, the ratio of claims payments and related costs was less than 25 percent in 2018, though those margins aren’t expected to last, according to Best. READ

SEC Tells Firms to Stop Missing the Basics on Cybersecurity

The SEC’s Office of Compliance Inspections and Examinations (OCIE) reported in a recent Risk Alert that many investment advisers and broker-dealers are failing to comply with basic aspects of Regulation S-P, which requires registered firms to provide customers with privacy notices and to safeguard customers’ records and information. The observed deficiencies are especially notable as they are basic flaws already discussed in previous SEC guidance; failure to correct them may lead to fines or even significant consequences in private suits by investors. Faced with such deficiencies, a court might conclude that a firm has not taken reasonable measures to safeguard customer information.

Regulation S-P requires that firms provide customers with initial notices regarding their privacy policies and practices when they sign up, with annual notices throughout the customer relationship, and with “opt-out” notices describing customers’ right to forbid disclosure of nonpublic personal information to nonaffiliated third parties. But OCIE observed in recent examinations that many firms did not provide such notices, and that when they did, the notices did not always accurately reflect firms’ policies and procedures.

OCIE also noted that firms failed to implement a host of basic policies and procedures designed to ensure the confidentiality and integrity of customer information. Deficiencies included:

  • lack of policies and procedures to prevent employees from regularly sending unencrypted emails containing personally identifiable information (PII);

  • lack of training on the use of encryption;

  • failure to create an inventory identifying all systems on which the firm maintained customer PII;

  • failure to revoke the system access rights of departed employees;

  • contracts with outside vendors where the vendors did not agree to keep customers’ PII confidential, even though such agreement was mandated by the firm’s policies and procedures; and

  • incident response plans that omitted “role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.”

Especially because the SEC staff has now provided multiple warnings, such deficiencies deserve more attention. MORE

New York Passes SHIELD Act Amending Data Breach Notification Law - The SHIELD Act significantly amends New York's data breach notification law and data protection requirements.

On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") amending New York's data breach notification law. This adds to the growing list of states enacting privacy and data security laws. The SHIELD Act introduces significant changes, including.

  • Broadening the Definition of "Private Information." The Act broadens the definition of "private information" to include biometric information and username/email address in combination with a password or security questions and answers. It also includes an account number or credit/debit card number, even without a security code, access code, or password if the account could be accessed without such information.

  • Expanding the Definition of "Breach." The Act expands the definition of "breach of the security of the system" to include unauthorized "access" of computerized data that compromises the security, confidentiality, or integrity of private information, and it provides sample indicators of access. Previously, a breach was defined only as unauthorized acquisition of computerized data.

  • Expanding the Territorial Scope. The Act expands the territorial application of the breach notification requirement to any person or business that owns or licenses private information of a New York resident. Previously, the law was limited to those that conduct business in New York.

  • Imposing Data Security Requirements. The Act requires companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information. A company should implement a data security program containing specific measures, including risk assessments, employee training, vendor contracts, and timely data disposal.

The breach notification amendments take effect on October 23, 2019, while the data security requirements take effect on March 21, 2020.

Governor Cuomo also signed Senate Bill S3582, which requires a credit reporting agency that suffers a breach containing Social Security numbers to offer consumers identity theft prevention and mitigation services.

New York is strengthening enforcement of consumer privacy and data protection. Companies should review their information security programs to assess the private information they collect and implement data security requirements specified in the SHIELD Act. Given the number of new and proposed state laws, this process can be time consuming and complex. READ

New York SHIELD Act Expands Privacy and Cybersecurity Obligations

New York’s new SHIELD Act:

  • Adds additional information types that may trigger a breach notification.

  • Requires notification upon unauthorized access to (not just acquisition of) protected information.

  • Imposes new cybersecurity obligations on persons maintaining private information about New York residents.

Privacy and data security law continues to evolve, and once again, new state laws are driving the change. On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which significantly expands the state’s data breach notification law and adds new cybersecurity requirements. While the new law does not create a private right of action, it specifically authorizes the state’s attorney general to seek significant civil penalties for noncompliance.

Expansion of Data Breach Notification Law

The SHIELD Act expands the scope of the state’s breach notification law by broadening the types of covered personal information that trigger notification obligations and modifying the circumstances under which notification is required.

Existing New York law requires notification if an individual’s Social Security number, driver’s license or identification number, or financial account number (coupled with a security code or password), together with any personally identifiable information, is compromised. The SHIELD Act adds to this list biometric information (like fingerprints or retina scans) as well as user names and email addresses, if they are coupled with passwords or other information allowing access to online accounts. The new law also removes the requirement that a financial account number be coupled with a security code or password, if the account could be accessed without such credentials.

Importantly, the law previously only required notification of an unauthorized acquisition of computerized data. The SHIELD Act broadens this requirement by also mandating notification of an unauthorized access to protected information, a change that will undoubtedly result in more data incidents qualifying as reportable breaches. For example, it will sweep in situations where user credentials were exposed but not necessarily used, or where hackers were able to delete or lock files (such as through a ransomware attack) without actually acquiring the data. The new law also provides specific factors that businesses may use (such as indications that the information was viewed or altered) to determine whether there was unauthorized access. Interestingly, it provides an exception to the reporting obligation for inadvertent disclosures by authorized persons where there is little risk of harm, and it provides specific procedures that a company must take before using the exception. Notably, the new law does not change the time requirement for consumer notification – breaches must still be reported “in the most expedient time possible and without unreasonable delay.”

New Data Security Obligations 

The SHIELD Act also imposes new obligations on persons maintaining private information about New York residents to “develop, implement and maintain reasonable safeguards” to protect the security of such information in both its use and disposal. In some cases, determining whether a company’s safeguards are sufficient will be relatively easy, as the SHIELD Act provides a safe harbor for organizations already covered by and complying with certain regulations, such as financial firms covered by the Gramm-Leach-Bliley Act, health care companies covered by the Health Insurance Portability and Accountability Act, and financial service providers covered by the New York Department of Financial Services cybersecurity rule. For organizations unable to take advantage of the safe harbor, the new law provides a detailed list of factors to determine whether a company has instituted sufficiently reasonable administrative, technical and physical safeguards.

Next Steps 

A company subject to the SHIELD Act should adopt and maintain a written information security program that complies with its requirements, including addressing cybersecurity protocols, providing for employee training and designating an individual responsible for administering the program. MORE

This is What Hundreds of RIA Compliance Officers are Worried About

Cybersecurity is still the biggest compliance threat to RIAs.

An overwhelming percentage of RIAs — 83% — surveyed by the Investment Adviser Association and ACA Compliance Groupsingled out cybersecurity as their top concern for the sixth straight year.

Last year, cybersecurity was the top concern for 81% of the respondents.

“Among the many key takeaways of this year’s survey — beyond the continued importance of cybersecurity — is that firms continue to strengthen their compliance programs,” says IAA president and CEO Karen Barr.

IAA (a lobby group for the RIA community) and ACA (a compliance services and solutions provider) surveyed 369 RIAs.

The majority of the respondents have at least $1 billion AUM and have been in business for at least five years.

A high percentage of survey respondents reported conducting cybersecurity compliance checks, including cybersecurity risk assessments, network penetration testing and phishing testing.

A majority (66%) reported having cyber insurance.

Around 87% said they have “formal, written” cybersecurity programs; 4% have “informal, unwritten programs;” while the rest have “no standalone cybersecurity programs” but instead incorporate them into other policies and procedures.

In Finra’s 2019 Risk Monitoring and Examination Priorities Letter, released in January, the self-regulator said cybersecurity is an important focus area.

Finra has said it continues to see “problematic” cybersecurity practices in its examination and risk monitoring program. In December, Finra published a report of select cybersecurity practices where it offered guidance on cybersecurity controls in branch offices; methods of limiting phishing attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintaining controls on mobile devices.At Finra’s annual conference in Washington, D.C. in May, Morgan Stanley’s regulatory exam head said cybersecurity was among the key threats keeping him awake at night.

When it comes to cybersecurity and technology concerns, Andrew Lipton, executive director and head of Americas market/conduct regulatory relations group at Morgan Stanley, said one of the key solutions is finding people who “know the law and technology,” which is “an interesting skillset.”

Meanwhile, a distant second and third to cybersecurity compliance concerns for the RIAs surveyed by IAA and ACA are advertising/marketing and data privacy.

The most common controls used by RIAs for advertising/marketing compliance are the requirement of formal pre-approvals by chief compliance officers (71% of respondents) and the logging and tracking of materials as they are prepared (64%). The majority of RIAs surveyed reported having related written policies and procedures (93%) for advertising/marketing compliance. MORE

CNBC Cybersecurity blind spot is putting financial advisors and their clients at risk

It’s an email every financial advisor should expect to receive at least once.

Financial advisor Charles Failla recalls receiving an email from a client asking for about $5,000. She was vacationing in the Caribbean and claimed the hotel where she was staying didn’t accept credit cards.

“She needed cash,” said Failla, certified financial planner and principal at Sovereign Financial Group in New York.

“I said, ‘I know you’re on vacation, but call me collect. I need to confirm it’s you before I send money to a Caribbean island.’”

After several emails, the client was able to track down a phone and confirm her identity.

“She understood and appreciated it,” Failla said. “It’s definitely a policy at our firm: You get an email asking for money? Verify it with the client via telephone.” MORE

Cybersecurity Threats Are Top RIA Concern In 2019, IAA Survey Says

For the sixth year in a row, cybersecurity remains the biggest compliance concern at registered investment adviser firms, with 83 percent calling it the “hottest” compliance topic and more than 70 percent indicating that they increased compliance testing in this area over the past year, a new survey says.

More than 80 percent of advisors reported testing to see if hackers could penetrate their systems, compared with 73 percent last year, and 75 percent conducted email phishing testing, up from 66 percent last year. A majority reported having cyber insurance, according to the joint survey of 369 RIA firms by the Investment Advisers Association (IAA) and and ACA Compliance Group. MORE

The Advisor Compliance Issue That's Bigger Than Reg BI

Longtime compliance chief Beth Haddock talks to ThinkAdvisor about cybersecurity, Reg BI and making compliance training less boring.

Beth Haddock

The biggest compliance issue facing advisors isn’t Reg BI. It’s cybersecurity. Protecting clients’ and firms’ confidential information from a nightmare breach is critical — and urgent, says attorney and compliance expert Beth Haddock in an interview with ThinkAdvisor.

A 20-year-plus veteran of running big firms’ compliance departments, she has helmed her own compliance consultancy, Warburton Advisers, in New York City since 2014.

Haddock’s fresh views breathe life into the essentially juiceless area of financial services compliance: For instance, the frequent industry speaker argues that by delivering a return on the firm’s investment, a compliance department can change from being a cost center to something of a profit center.

In the interview, Haddock, whose clients include fintech companies, BDs and financial advisors, discusses, among other issues, her take on Reg BI and Warburton’s Hollywood-produced training that employs virtual reality to teach compliance regs.

ThinkAdvisor recently interviewed Haddock, on the phone from New York. The author of “Triple Bottom-Line Compliance” (Advantage Media Group 2018), she was chief compliance officer at AXA, Brown Brothers Harriman and Guggenheim Investments. In our conversation, the attorney stresses why advisors need to become more involved with the crucial issue of cybersecurity.

Here are highlights of our interview:

THINKADVISOR: What’s the biggest compliance issue facing financial advisors and firms today?

BETH HADDOCK: Data security, and data ethics and governance: How you collect data, how you use and store it, the parade of regulatory requirements. It’s everything from privacy, the security of advisors’ business information and investor information to using the information you collect in order to grow your business.

What differentiates data security from the concept of data ethics and governance?

Data security is chiefly about the nuts and bolts from an IT perspective. Data ethics and governance is about making a good business judgement as to, for example, how much in the way of resources you’re going to put toward [the tech and data security].

What’s part of that decision?

Will you have a personal server? Are you going to trust the cloud? These are the issues advisors have to decide about. It’s: How much risk do you want to take, and how much do you want to protect your clients, your reputation and your brand — because if you have a breach, it’s pretty disruptive to your business.

This is a whole additional area that RIAs and FAs have to worry about beyond being an advisor to their clients, isn’t it?

Yes — because it’s new and because it’s technical. If you’re an experienced advisor, you didn’t grow up having to think about this for your practice.

What’s the solution?

RIAs have to be educated on the technology rather than outsourcing it 100% and not really thinking about it. They need to be aware and make sure it’s on their radar. Second, they have to consider multiple sources for getting help. One of those would be having an IT person on retainer or, when they’re hiring a COO, making sure that person has a tech background. That will [provide] in-house expertise.

So is that all there is to it?

No. This isn’t a one-and-done. You have to look at data governance the same way you [tend] the investments in an investment portfolio.

What’s a big obstacle to acquiring technology and data security?

If, for example, you’re an independent RIA, you may not have the wherewithal to acquire excellent smart technology when it comes to cybersecurity or IT expertise. It’s really hard for advisors to be at the same level as big financial institutions.

But they need to make some sort of commitment. What should they do?

There are lots of vendors out there. It’s a matter of getting smart and figuring out what makes sense from a resource perspective. And it’s doing due diligence so you know that the tech vendor [you decide on] will protect your information from a breach and isn’t going to share it. You need to know that the whole infrastructure is safe. MORE

WSJ The Ins and Outs of Cybersecurity Insurance

Policies are designed to help companies survive major cyberattacks. But knowing exactly what’s covered can be tricky.

The idea of cybersecurity insurance seems, on its face, pretty straightforward: Being hacked not only can disrupt business, it also can be extremely costly and hurt a company’s reputation. Businesses want to protect themselves against those losses.

But in practice, such insurance raises a lot of questions.

There’s no question that cyber insurance is on the rise, though growth in the U.S. slowed last year to 8% from 37% in 2017, according to Fitch Ratings.

These policies are designed to help companies survive major cyberattacks by offsetting the costs of recovery. But knowing exactly what’s covered can be tricky. The cyber insurance category is new, so there isn’t much standardization in the way insurers are determining risk or even defining attacks. Coverage gaps can be created by uninformed choices.

Here are some questions companies need to ask themselves.

What do we need to cover?

Companies first need to determine, with the help of a security specialist if necessary, what their biggest risk areas are and what they stand to lose if they experience an attack.That way, they can fine-tune their coverage as much as possible to fit their particular needs.

Among the areas companies need to assess are reputation damage, data-restoration costs and reimbursement for government regulatory fines in the wake of a data breach.

The National Institute of Standards and Technology, which is part of the U.S. Commerce Department, offers security guidelines that can help companies understand and assess their risk, says Gregory Touhill, a cybersecurity expert from Carnegie Mellon University‘s Heinz College who was the first U.S. federal chief information security officer. Knowing what kind of security provisions insurers expect to see from companies also can provide a helpful overview. Cybersecurity insurance applications can be downloaded that show the standard levels of security insurers expect and highlight other potential risk areas.

What’s the difference between first-party and third-party cyber liability insurance?

First-party insurance covers the policyholder’s own direct losses from cyberattacks such as data theft, denial of service and extortion. In addition to compensation for lost income, benefits sometimes include coverage for the cost of various steps companies take in the wake of an attack, such as figuring out how their networks were penetrated, notifying customers affected by an attack, restoration or repair of digital content and public-relations efforts to repair a company’s damaged reputation.

Companies that store customer credit-card information or other sensitive personal data typically buy first-party coverage.

Third-party insurance covers companies that allowed a data breach to occur on a client network. For instance, an IT contractor that was paid to build a secure website for a client could be liable for damages if there was a mistake or oversight that led to a network intrusion. Coverage could include reimbursement for legal fees, settlements, damages in court cases and fines that may be levied by government regulators.

What cyber incidents do insurers typically exclude from coverage?

Most standard cyber policies exclude preventable security failures that result from failing to maintain a minimum level of security—an improperly configured firewall, for example. The careless mishandling of sensitive information by employees generally isn’t covered. Malicious acts by employees also generally aren’t covered, or theft of trade secrets or intellectual property.

The most high-profile cyber-related exclusions happened after the 2017 NotPetya ransomware attack that affected companies around the globe. Some companies that filed for cyber-related claims under their business and property insurance policies had them denied—in at least one case due to a rarely used but common contractual clause that excludes “a hostile or warlike attack” by a state actor. The Central Intelligence Agency attributes NotPetya to the Russian military.

If the breach is the company’s fault, is the insurer always off the hook?

Not always. Many policies cover employee mistakes such as losing a laptop or falling for phishing scams. But every case is open to interpretation, says Brandon Hickey, president of Insureon Brokerage. If an employee accidentally lost a laptop on the train, for instance, that might be covered. But under the same policy, if that employee lost a laptop that contained sensitive information that wasn’t supposed to leave the office, that could be grounds for a claims denial.

How long after a breach occurs does a company have to report it to an insurer?There’s often a big difference between when the breach occurs and when it is discovered. On average, small businesses don’t discover that their network has been breached for 197 days, according to a survey by the Ponemon Institute. But once a company is aware of an attack, in general, insurance companies ask customers to inform them of any newly discovered cyber loss when practical. Insurers understand that companies will first want to settle immediate priorities such as securing the network against further intrusions.

Although “when practical” doesn’t mean immediately, sitting on the claim for too long might raise a few eyebrows that could affect a company’s settlement, says Bob Parisi, managing director at the Marsh brokerage unit of Marsh & McLennan Co s. It would be unusual for a company to file a claim, say, six months or more after it discovered an intrusion, he says.

An insurer’s requirement for notification could differ from a company’s legal obligations. All 50 states and the District of Columbia have enacted data-breach notification laws that require public and private organizations to notify all customers that are affected by data loss. Reporting times vary by state, but Colorado and Florida, for instance, have 30-day deadlines from the date of discovery, the shortest allowance for any state.

How do insurers price cyber insurance?

Pricing is based mainly on a company’s annual revenue—since more income amounts to higher risk exposure—and what industry it is in. The insurer wants to find out what sensitive data the company keeps that would make it a target to cyber criminals. A hospital would be more expensive to cover than a library, since the hospital stores a lot of patient medical records. Patient records are protected by strict state and federal privacy rules, so companies that expose that data could be subject to multimillion-dollar fines.

How much network security a company has can also influence premiums. Insurance companies will often ask companies to detail what kind of security they have during the application process, such as whether employees have been trained to recognize cyber fraud or if company software is routinely updated. Insurers also want to know how frequently companies change their passwords and how much network access third-party vendors and service providers have. They may also ask whether a company has had a third-party audit of its system or whether it has used a so-called external penetration tester, also known as ethical hacking, to root out any network weaknesses. MORE

Protecting client data is an ongoing obligation

Firms must perform due diligence on prospective providers

Redtail Technology's recent data leak is a reminder of the weighty responsibilities financial advisory firms face when it comes to cybersecurity. Redtail's customer relationship management system contained data about clients of advisory firms that use the CRM. When some of that information was inadvertently exposed, Redtail's problem also became the problem of the advisers who relied on its CRM.

The Redtail leak can't be blamed on hackers. The company captured personal information about advisory firm clients on an internal file, called a log file, that serves as a record for software developers, and that file was accessible via the internet.

It's becoming common for personal information to get an airing. Earlier this year, BlackRock exposed the data of about 20,000 financial advisers who used the company's iShares ETFs — advisers from firms including LPL Financial and Axa Equitable. Voya Financial Advisors also had a glitch on a page of adviser bios on its website that had the potential to expose advisers' Social Security numbers.

A recent report from Aite Group suggests the problem is widespread. The report looked at 30 mobile apps from various types of financial services firms and found vulnerabilities in 29 of them.

Assessing and monitoring the cybersecurity practices of their technology providers may seem far outside the comfort zone of financial advisers, but regulators have made it clear that advisory firms need to be on the case.

And they're stepping up enforcement to ensure firms do so. The Securities and Exchange Commission cited cybersecurity as one of its examination priorities this year, and the $1 million fine the agency imposed on Voya Advisors last fall, after hackers gained access to the personal information of thousands of its customers, was seen as a signal that the SEC is cracking down in this area.

A $50,000 fine the Financial Industry Regulatory Authority Inc. imposed on a small broker-dealer last year for having lax procedures that let hackers transfer money out of customers' accounts also was viewed as a warning to the industry.

Late last year, Finra updated its cybersecurity guidelines to include such topics as how to combat phishing attacks and mitigate insider threats.

So what's an advisory firm to do?

Finra guidelines for advisory firms using third-party vendors say firms should perform due diligence on prospective providers before they sign on the dotted line. Contracts should cover such topics as how the firm's information will be stored and transmitted, the vendor's obligations in the event of a breach and limitations on the vendor's employees' access to data.

Once the firm has hired a vendor, it must continue to monitor their efforts. And if a firm terminates the relationship, it should ensure that the vendor deletes all the data it had. Finra also notes that an advisory firm's risk assessments should include all of its vendors' systems and processes.

Last month, the North American Securities Administrators Association came out with a model rule that would require firms to have written policies and procedures in place regarding cybersecurity to protect client information.

Just discussing the work entailed in vetting fintech providers and preparing an advisory firm internally is enough to arouse nostalgia for the Underwriters Laboratories seal of approval on household electronics. If only it were that easy.

But when clients trust firms with their personal information, advisers must repay that trust by doing the work it takes to ensure the safety of that data. MORE

The Best Way to Prepare for a Data Security Audit

At the New York Junior League’s “Technology Talk: Data Security in the Nonprofit Environment,” Lena Licata, a director in EisnerAmper's Process, Risk, and Technology Solutions (PRTS) and Rhina Brito, a senior in PRTS, discussed how firms can prepare for a data security audit, addressing policies and procedures to have in place, how top-level management needs to set the tone, having the appropriate vendor risk management (VRM), how to perform a risk assessment using a framework such as the NIST Framework and finally, how to handle a breach.

Here are a few takeaways the duo mentioned relating to the above-mentioned points.

Policies & Procedures

  • Policies should come from top-level management, and be ‘built-to-last’ regardless of minor business changes.

  • Procedures should include step-by-step instructions.

  • Policies and procedures should be kept in an accessible place and also be kept simple.

  • Examples include Information Security Policy, Privileged User Policy, End User Compliance Policy and more.

Setting the ‘Tone at the Top’

  • An organization’s ‘tone’ is set by top-level management and leadership. It is paramount that they practice ethical behavior and set an example for their employees to follow.

Vendor Risk Management

  • VRM relates to how companies manage relationships with external parties they do business with.

  • It is imperative companies control vendor access to their systems and information.

  • Companies should protect information assets by assigning IT security to specifically monitor their activities when accessing network and hardware (i.e., hard drives) and, further, consider having an IT Risk Assessment performed that evaluates the controls and safeguards the vendor has in place to ensure that information assets are protected from unauthorized access.

  • VRM is a five-step process and companies need to: 1) identify a risk source the vendor can pose; 2) define risk assessment policies for vendors; 3) asses vendor risk; 4) remediate issues by working with critical vendors to ensure remediation and 5) maintain continued vendor compliance through scheduled periodic assessments.

NIST Cybersecurity Framework

  • Companies can perform a cybersecurity risk assessment using this Framework, which consists of 5 elements to 1) identify, 2) protect, 3) detect, 4) respond and 5) recover in cases they fall victim to cyberattacks.

How to Handle a Breach

  • If companies fall victim to a breach, they need to stop the bleeding and find out where the points of entry occurred.

  • In addition, companies need to investigate what was accessed and compromised over how great a period of time. MORE

    By Elana Margulies-Snyderman