Financial firms face more scrutiny of their cybersecurity practices, thanks to continued efforts from the Securities and Exchange Commission.
A new white paper from External IT looks at how to help firms prepare for the next round of cybersecurity-related testing by the SEC’s Office of Compliance and Examinations (OCIE), which the agency announced in a recent alert.
In April 2014, OCIE said that it would examine the securities industry to identify cybersecurity risks and assess preparedness of advisors and broker-dealers. The initial findings of these exams, published in February, found that a majority of broker-dealers (88%) and advisors (74%) have experienced cyberattacks directly or through vendors, and had numerous gaps in their cybersecurity readiness.
In September, the SEC issued a risk alert on cybersecurity and announced a new round of exams to assess implementation of procedures and controls at broker-dealers and advisors.
External IT, an IT outsourcing firm who specializes in the financial services industry, has performed more than 100 security assessments in the wealth management industry over the past several years.
Using evidence from these assessments, External IT examines where firms are failing to meet the requirements laid out in the SEC’s September risk alert – focusing on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.
External IT offers a number of tips and recommendations to help firms avoid the same mistakes as other firms.
1. Advance Preparation for an Attack
“It seems many firms only start incorporating true processes and proactive training once they have been breached,” External IT says.
In order to properly protect client information and confidential documents, firms need to periodically evaluate the risks and determine if the firm’s controls are tailored to its business, the paper says.
“Firms need to be able to recognize and respond to a breach quickly, if one were to occur,” the paper says. “To help achieve this, firms need to have documented procedures for monitoring systems and responding to cyber incidents integrated into regular personnel and vendor training.”
2. Access Controls
As External IT points out, to meet the OCIE alert standard firms need proof they track failed login attempts, remote access and user access reviews, as well as that they make efforts to remediate inappropriate access.
Firms must also prove they encrypt, track and deactivate users’ remote devices when necessary.
From External IT’s own security assessments, it finds many firms lack strong password policies, mobile device management, device and access monitoring, and use of role-based file permissions.
Employees are often able to move company data to personal and home devices with no accountability or tracking measures in place.
“All firms need to review their systems monitoring and logs of files access, applications, and remote access, paying specific attention to the reports provided by their in-house IT team or third-party IT firm,” the report says.
3. Data Loss Prevention
Firms should monitor data flows and check for unauthorized data transfers, such as through email attachments or uploads.
External IT found that more than 90% of firms archive their email, but far less actually monitor their email. Email monitoring would require a person (or technology) to randomly sample emails and to pull messages that contain words that imply promised money gains or abusive language, the report says.
External IT also suggests that all companies should manage Web traffic.