From Bentley Long
In the course of my work, I regularly speak with RIAs of all sizes and AUM on cybersecurity risk management and compliance. Every firm is concerned about cybersecurity - sometimes driven by confusion about regulatory guidance, other times driven by fear of damage to the firms reputation from a data breach.
The Investment Advisers Association recently published their 2018 Compliance Testing Survey, and for the fifth year in a row cybersecurity was the No. 1 concern, cited by 81% of survey respondents
And yet, convincing firms to make additional investments in information security remains a challenge. I attribute a lot of the push back to "cyber fatigue". The cybersecurity industry has done itself a great disservice by selling on fear. The result is that many firms have become desensitized to a very real, and imminent danger.
The antidote to cyber fatigue is education against a non-apocalyptic backdrop. Cyber attacks are a fact of life in the 21st century, there is no choice but to address the threat. In this article, I will deconstruct some of the most common excuses that I hear for not taking action to continuously improve cybersecurity practices.
#1 - I have a Firewall and Use Antivirus Software so I'm Protected
Antivirus software and a network firewall offer the most basic elements of cyber risk mitigation. However, they are only a small piece of a comprehensive solution.
Antivirus programs rely on databases of "signatures" that screen for malware or suspicious behaviors that are known to the good actors in the software development community. That's a problem: if a threat is unknown, it can't be detected. Increasingly often, we are finding that antivirus products can take months before adding the algorithms to recognize the more complex threats, leaving endpoints unprotected. Moreover, if you don't regularly update your antivirus, or accidentally disable it, you won't be getting full protection.
The greatest threat to investment advisers is a phishing attack, and antivirus programs offer almost no protection against fraudulent emails that trick users into releasing sensitive information to attackers. The best defense against phishing emails is to conduct regular Security Awareness Training, and run simulated phishing attacks to teach users to recognize malicious emails.
A firewall is the first line of defense for your network, but needs to be regularly checked for proper configuration. If a port is opened for a vendor, or software program, and not closed then that becomes a vulnerability. Periodic vulnerability and penetration tests will detect improper configurations so that they can be fixed. Best practices would also dictate the use of Network Intrusion Detection Software (NIDS) in conjunction with a firewall, as well as Host Based Intrusion Detection Software (HIDS) and/or Host Based Intrusion Prevention Software to protect servers.
In summary, antivirus and a network firewall are important pieces of your overall strategy, but they are not "set it and forget it" tools. They require periodic updates and maintenance, and must be augmented with other elements of a robust cyber strategy.
# 2 - My IT Services Provider Has Addressed the SEC's Guidance on Cybersecurity
I have observed an inherent gap between IT and compliance. Managed Service Providers (MSPs) tend to view the world in terms of network security and endpoint management, while compliance officers often lack the technical expertise to advise on cybersecurity issues. MSPs often bundle point solutions from multiple vendors into a one size fits all cybersecurity suite that is part of their monthly fee. The suite is designed to be industry agnostic, which allows the MSP be to enjoy volume discounts, and avoid the difficulty of managing multiple tools that serve the same function. This makes perfect business sense.
For RIAs, this approach is lacking since the SEC has provided very specific guidance on cybersecurity via its Office of Compliance and Inspections (OCIE). Moreover, in an SEC examination on cyber, you will be asked to produce a Written Information Security Policy (WISP) based on their guidance. You will also be asked to provide evidence that all firm employees understand and are following these policies.
Adding it up, the SEC recommends 34 specific elements for your security program which can be broken down into six subgroups: Governance and Risk Assessment, Access Rights and Controls, Data Loss Prevention, Vendor Management, Training, and Incident Response.
MSPs are an important part of your cyber compliance plan, but at most they address some of the Access Rights and Controls, and some of the Data Loss Prevention subgroups. What about the other pieces?
In addition, the periodic risk assessments recommended by the SEC cannot be performed by the same entity that sets up and maintains your network. The assessments needs to be performed by an independent 3rd party to to ensure unbiased results.
#3 - Our Business is Way to Small to Be a Target
First of all, you work in Financial Services which means you work in one the top 3 industries targeted by hackers. Initiating fraudulent wire transfers through phishing can be surprisingly easy and quite lucrative.
Secondly, because you area small business, you are more likely to have not invested in cybersecurity. This make you an easier target.
Lastly, hackers have begun using bots and artificial intelligence to sniff out vulnerabilities on public facing networks, and can even engage potential targets in social engineering attacks. This means that hackers can scale their efforts exponentially. No one is immune.
If you want to read the sobering statistics on SMBs and cybersecurity from Ponemon Instititue you can find it here. But the bottom line is that you are an attractive target to hackers.
#4 - We Only Access Secure Portals, So Our Enpoints (Devices) Don't Need Protection
Another variant of this is, "I don't need to worry about my devices since all my data and applications are in the cloud. There's nothing valuable on them.”
Au contraire. Users, and by proxy their endpoints, are the weakest link in securing your firms sensitive information. How do you know that the endpoint hasn't been compromised when you are accessing a secure site?
Devices can be infected via a usb drive, email attachment, website, or simply connecting to an unsecured WiFi network. Once infected, the device can then transmit key strokes and login credentials that allow the hacker to access your data in a secured portal.
Even if your applications are cloud based, many of them keep a local copy of your data to give you access when you are offline. If your email client stores your messages in a local folder, that information can be treasure trove for hackers. It can be used to impersonate you for fraudulent purposes, as well as to phish all of your contacts, among other things.
Think about all of the devices that you use to access work applications and data. Smartphones, tablets, laptops, and desktops all need to be encrypted, monitored, and protected with antivirus and MDM software.
#5 - We Don't Need Cyberinsurance
The term "Cybersecurity" is something of a misnomer. It implies that your information can be totally secured. In reality, you reach a point of diminishing returns with point solutions. It becomes increasingly expensive to achieve marginal gains, and you can never get to 100% secure. That's why you need cyberinsurance.
Purchasing a cyber insurance policy is not tantamount to throwing in the towel on securing sensitive information. It is, rather an acknowledgement that cyber attacks are a growing threat to your business in the same way that fire, theft, and workers comp claims are.
Many firms assume that they already have coverage under their general liability policy. This can be a costly assumption. Most traditional commercial general liability policies do not cover cyber risks, such as property damage, personal and advertising injury claims arising from access or disclosure of confidential information.
In addition, many of the cyber policies written to date are not worth the paper they are printed on. They have a long list of exclusions and high retentions (deductibles) that make them unlikely to pay out in the event of a breach.
Take the time to talk to a cyber insurer that specializes in RIAs. The time to find out about gaps in coverage is not after you have had a breach.
Don't perpetuate these myths. Realize that most myths are really "partial truths". That means that these misconceptions start with reasonable assumption, but fail to take account of the bigger picture. A comprehensive cybersecurity risk management and compliance program has multiple elements. The biggest myth is that you can find one silver bullet that will make you secure.
And remember, the threat is constantly evolving, so an annual assessment of your policies, procedures, protections, and risks is the only way to keep current. Stay safe, my friends.