Posted by Michael Heaton on 07/17/2017

It is clear that cybersecurity is an ongoing and growing concern for the securities industry, and large-scale events are happening daily. Therefore, we will frequently use space to provide different perspectives on the scope of the challenge and include steps that firms may take to better protect their critical information. Our article, “Cybersecurity: On-going Risks & Compliance Challenges” focused specifically on the SEC’s cybersecurity risk alerts.  For this blog post, we will explore how cybersecurity fits into the concept of information security more generally to provide you some additional context on the risks and implications for your compliance program.  Title 44 of the U.S. Code defines Information Security as “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.” This definition is necessary, but not sufficient, in helping us gain a more complete understanding of what information security encompasses and the implications for our work.

At many investment adviser and broker dealer firms, for example, it is not uncommon to see confusion with how cybersecurity differs from an existing IT function. If you are a firm that has responsibilities under Regulation S-P for physical and electronic safeguards, ask yourself what protections you have in place for your firm’s critical information, and what testing have you performed? If the answer is that you maintain virus protection and firewalls on your computers – and that is the extent of the effort, then you are likely not fully addressing the risks.  If you are new to information security, start with a practical, hands-on perspective that develops steps for information security policies and procedures that are grounded in your risk assessment.

The SEC’s Office of Compliance, Inspections and Examinations (“OCIE”) and FINRA have issued detailed guidance and alerts on the topic. OCIE’s September 2015 risk alert provided key areas of focus for the industry including governance and risk assessment, access rights and controls, data loss prevention, vendor management, and training.  FINRA’s 2017 Examination Priorities Letter also includes cybersecurity as a continued focus for their examination efforts, including “firms’ methods for preventing data loss, including understanding their data … and its flow through the firm, and possibly to vendors.” Additionally, FINRA states in the letter that a firms’ controls should be informed by an understanding of any personally identifiable information (“PII”) the firm maintains and which parties potentially have access to it. 

While these are not specific recommendations, nor an exhaustive list of possible solutions, firms that work through this process often take these steps for a more complete cybersecurity program:

  • The completion of a cyber assessment (Consider using an outside cybersecurity expert) Implementation of centralized malware protection.

  • Implementation of controls for the “principle of least privilege” – to ensure individuals have access only to what they need to do their work.

  • The provision of Information security training for all employees.

  • The installation of encryption capabilities on all machines that have firm data.

  • The avoidance of email for transmitting PII to customers, such as through a file sharing platform.

  • The implementation of cybersecurity policies and procedures.

  • Conducting periodic vulnerability assessments where an “agent” is attached to the firm’s network and can monitor activity.

  • Providing Data Loss Prevention (“DLP”) safeguards to block sensitive data from leaving via email, web forms, removable media, and data stored on local drives - including remote laptops.

Of course, not all your information is going to be electronic or cloud-based, and your information security program should address how you protect hard-copy files, paper and anything in analogue form. Consider the following:

  • Where is customer information stored.

  • Who has physical access to customer information?

  • How do you restrict access to customer information - such as with keys, passwords, and clean desk policies? 

Therefore, in practice, information security consists of an ecosystem of safeguards, awareness and individual actions. While each component is important individually, they are insufficient as standalone items and require implementation holistically for you to create a truly effective program.