Close
ThinkAdvisor

Regulation and Compliance > Cybersecurity

Top 6 Cybersecurity Mistakes Financial Firms Make: External IT

X
Your article was successfully shared with the contacts you provided.

Financial firms face more scrutiny of their cybersecurity practices, thanks to continued efforts from the Securities and Exchange Commission.

A new white paper from External IT looks at how to help firms prepare for the next round of cybersecurity-related testing by the SEC’s Office of Compliance and Examinations (OCIE), which the agency announced in a recent alert. 

In April 2014, OCIE said that it would examine the securities industry to identify cybersecurity risks and assess preparedness of advisors and broker-dealers. The initial findings of these exams, published in February, found that a majority of broker-dealers (88%) and advisors (74%) have experienced cyberattacks directly or through vendors, and had numerous gaps in their cybersecurity readiness.

In September, the SEC issued a risk alert on cybersecurity and announced a new round of exams to assess implementation of procedures and controls at broker-dealers and advisors.

External IT, an IT outsourcing firm who specializes in the financial services industry, has performed more than 100 security assessments in the wealth management industry over the past several years.

Using evidence from these assessments, External IT examines where firms are failing to meet the requirements laid out in the SEC’s September risk alert – focusing on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.

External IT offers a number of tips and recommendations to help firms avoid the same mistakes as other firms.

1. Advance Preparation for an Attack

“It seems many firms only start incorporating true processes and proactive training once they have been breached,” External IT says.

In order to properly protect client information and confidential documents, firms need to periodically evaluate the risks and determine if the firm’s controls are tailored to its business, the paper says.

“Firms need to be able to recognize and respond to a breach quickly, if one were to occur,” the paper says. “To help achieve this, firms need to have documented procedures for monitoring systems and responding to cyber incidents integrated into regular personnel and vendor training.”

2. Access Controls

As External IT points out, to meet the OCIE alert standard firms need proof they track failed login attempts, remote access and user access reviews, as well as that they make efforts to remediate inappropriate access.

Firms must also prove they encrypt, track and deactivate users’ remote devices when necessary.

From External IT’s own security assessments, it finds many firms lack strong password policies, mobile device management, device and access monitoring, and use of role-based file permissions.

Employees are often able to move company data to personal and home devices with no accountability or tracking measures in place.

“All firms need to review their systems monitoring and logs of files access, applications, and remote access, paying specific attention to the reports provided by their in-house IT team or third-party IT firm,” the report says.

3. Data Loss Prevention

Firms should monitor data flows and check for unauthorized data transfers, such as through email attachments or uploads.

External IT found that more than 90% of firms archive their email, but far less actually monitor their email. Email monitoring would require a person (or technology) to randomly sample emails and to pull messages that contain words that imply promised money gains or abusive language, the report says.

External IT also suggests that all companies should manage Web traffic.

“At a minimum, a company has the right to know what websites an employee visits while using systems owned or managed by the firm,” the paper says. “More importantly, all sites that contain malicious or inappropriate content should be blocked. If possible, a web filter can be attached to index private content and send an alert when data leaves the company.”

Another suggestion from External IT is multi-factor client verification.

“Some client requests may not be genuine, so firms should verify which are real and which are false,” the report says.

Firms can verify client requests by using multiple forms of authentication.

“Many firms claim to know their clients so well that they recognize their voice or phone number,” the paper says. “Regardless, to be compliant, employees must verify phone numbers with a CRM system. Always ask a phone caller to also send a fax or email as confirmation of the client request. Make sure employees are trained to verify the identity of clients.”

4. Vendor Management

The bigger the third-party partnership, the bigger the potential data breach, as the paper points out.

“Firms owe it to their clients, and themselves, to choose vendors carefully after intensive due diligence,” the paper says. “Examiners may study a firm’s vendor relationships, assessing the appropriateness of contract terms and how much oversight the firm applies to vendors.”

External IT says that firms need to keep records of the software and data that vendors can access — even vendors hired to mitigate cybersecurity risks.

5. Training

“The #1 cybersecurity risk today is the uninformed employee,” External IT says. “Firms must take it upon themselves to educate their employees about security and privacy risks.”

To do this, firms should create written guidance and materials for employees and update them regularly.

According to the paper, employees should understand the main threats that exist in today’s environment.

“For example, security training in 2015 and 2016 should include how to identify malicious attachments that may carry crypto-locker or crypto-wall [viruses],” the paper states.

Employees should also understand how to identify phishing attempts and social engineering attacks, as well as whom to speak to at the company about suspicious or unknown activity.

6. Incident Response

Through its own assessments, External IT has found that most firms do not have a comprehensive cybersecurity incident response program.

“When asked if an incident response plan was in place, many firms looked to their attorney for a response,” the paper states. “This is an issue as clients need to know right away if their [personally identifiable information] or money is at risk and cannot afford to wait days or weeks for attorneys to create an ‘official response.’”

Firms should assess the damage and risk right away and take “immediate, corrective action,” the paper states. External IT also suggests that firms should have insurance for cybersecurity incidents in place.

—Related on ThinkAdvisor:

More on this topic