The old saying about bank robbers – they go where the money is – applies to today’s cybercriminals.
Cyberattacks are on the rise, and financial firms are a major target.
Assessing cybersecurity requires analyzing a broad array of risks. Firms may consider some aspects of cybersecurity as more important to their operations than others, but there are a broad array of general security policies.
To assist firms in making decisions on cybersecurity, the Texas State Securities Board suggests the following resources for state-registered investment advisers and other registered professionals. These resources listed do not constitute legal advice, nor should they be construed as “best practices” or rulemaking by the State Securities Board.
The Big Picture
Whatever it's called – a checklist, guidance, or a "cyber planner" – any effective approach to cybersecurity starts with a comprehensive review of where a firm stands in regards to the technology it has in place, its policies, and training of staff. Most important is the question of how everything ties together to help the firm's primary constituency: its clients.
The planning guides below help firms broadly identify the risks related to cybersecurity, establish cybersecurity procedures, protect firm networks, assess the risks of access to client information, and implement procedures regarding third-party vendors. They are not operational playbooks, simply starting points that cover the topics on this page and others.
Small Firm Cybersecurity Checklist, Financial Industry Regulatory Authority
Guidance for Small Firms, SIFMA
Cybersecurity Guidance, Securities and Exchange Commission
Small Biz Cyber Planner, Federal Communications Commission
Assessments to identify cybersecurity risks are an ongong process, both internally and with third-party vendors. Once risks are identified, a framework can help you prioritize and set deadlines to mitigate risks.
- Ensure computer software/applications are updated with security patches regularly;
- Ensure that the vulnerability scanning tools you use are regularly updated and contain the latest security vulnerabilities information;
- Subscribe to vulnerability intelligence services in order to stay aware of emerging threats and exposure;
- Run an automated vulnerability assessment tool against all systems on the network on a regular basis. Promptly compile prioritized lists of the most critical vulnerabilities;
- Establish best practices in the event of a ransomware attack. In such attacks the victim typically receives a message demanding a ransom in exchange for restoring access to computer systems.
How to Protect Your Networks from Ransomware, U.S. Department of Justice
Incident Response Planning
Speed is everything when responding to a cyberattack. An incident response plan will help you make more informed decisions during the stress of an attack.
The U.S. Department of Justice’s guidelines on responding to a cybersecurity attack focuses on smaller organizations. This document advises that firms at a minimum consider the following issues:
- Identify those responsible for different elements of an organization’s cyber incident response;
- How to contact critical personnel or outside vendors at any time;
- Identify the personnel who will serve as back-up if critical personnel are unreachable;
- How to preserve data related to the intrusion;
- Establish the criteria that will be used to ascertain how data owners, customers, or partner companies should be notified if their data or data affecting their networks is stolen; and
- Procedures for notifying law enforcement and/or computer incident-reporting organizations.
Best Practices for Victim Response and Reporting of Cyber Incidents, U.S. Department of Justice
Encryption uses algorithms to render data undecipherable unless it is accessed through a specific decryption key. Encryption is intended to protect underlying data even if there is a cybersecurity breach. Considerations include:
- Written policies and procedures which categorize data as confidential or non-confidential to prevent unnecessary encryption;
- Procedures for the physical security of confidential data and systems containing confidential data, such as servers, laptops, and removable media devices;
- Encryption of all data systems that contain or access confidential information;
- Managing the identities and credentials for authorized users;
- Consultation with outside information technology professionals who specialize in cybersecurity for financial services.
Report on Cybersecurity Practices (pages 20-21), Financial Industry Regulatory Authority
Anti-virus software scans files on a computer to identify viruses and threats such as malware. It also attempts to identify suspicious behavior in a computer program that might indicate infection. The following are considerations for anti-virus software:
- Using anti-virus software on all devices that access the firm’s network, including mobile devices
- Running anti-virus updates on a regular basis
- Training employees on how anti-virus programs work and how to report suspicious events
- Ensuring that an outside vendor is implementing the most recent anti-virus programs and updating them regularly
Destructive Malware, Federal Financial Institutions Examination Council
The use of secure email with encryption and digital signatures can reduce the risk of communication with clients. Email is the most likely way for a cyber-criminal to take over a client’s account. Consider implementing the follow practices:
- Develop an email usage policy that includes regular cybersecurity training and bulletins when new viruses and threats are detected;
- Set up a strong filter to block spam and potentially harmful email;
- Require authentication practices for access to email on all devices;
- Require strong passwords and frequent changing of passwords;
- Ensure that client instructions received via email are authenticated.
Backup and Recovery
When it comes to a cybersecurity incident, it's more a matter of "when" than "if."
Data backup and retrieval is as important as any piece of a cybersecurity and ties into business continuity plans, managing third-party technology providers, and written contingency plans in the event of a cyberbreach. You should consider:
- Implementing a plan and begin backing up data on a regular basis;
- To mitigate the risk of theft/disaster, keep copies of data on separate hard drives in a secure location offsite or accessing backed up data via remote servers;
- In recovering data, fix vulnerabilities that allow the data to be compromised in the first place;
- Testing your backups on a regular basis by restoring files to test a computer, in order to ensure that the backup process is working properly.
- Integrating planning for a cybersecurity incident into your firm's business continuity plan.
Guide for Cybersecurity Event Recovery, National Institute for Standards and Technology, U.S. Department of Commerce
Firms are increasingly moving to cloud computing to store data. Cloud computing refers to data that is accessed over the Internet from remote servers. Cloud storage can save costs on internal servers or hard drives, but there are important considerations before making the move.
- Conduct due diligence into the cloud service provider before signing with the company;
- Evaluate the cloud service provider’s safeguards against breaches and its response in the event of breaches, including cyber-insurance coverage;
- Understand how the firm’s data is segregated from other entities’ data within the cloud service;
- Establish restoration procedures in the event of breach or loss of the data stored through the cloud services;
- Encrypt data containing sensitive or personally identifiable information that is stored through a cloud service;
- Establish policies and procedures in the event that the cloud service provider is purchased, closed, or otherwise unable to be accessed;
- If a firm relies on free cloud storage, back up all records elsewhere.
Threats include disgruntled employees who may seek revenge through cyber-sabotage, profit-seekers who may believe they can sell stolen intellectual property, or employees starting a business who steal customer lists or business plans. Firms can protect themselves by taking basic preventative steps:
- Recognize that certain behaviors may indicate an employee is a potential insider threat. These include network security violations such as failed log-in attempts, downloading large amounts of data, altering sensitive files, or personnel issues such as disputes with co-workers.
- Manage remote access from both internal and external parties.
- When an employee leaves the firm, make sure all access to the firm’s network and databases are disabled.
- If engaged in an office sharing arrangement with an unaffiliated individual or firm, make sure the firm’s client data is kept private and secure.
Best Practices for Victim Response and Reporting of Cyber Incidents, U.S. Department of Justice
Firms that maintain websites
A website is the face of the firm and, most importantly, often serves as a portal for a client to directly access account information.
A firm that relies on a third party for website maintenance should have an agreement in place regarding the confidentiality of information;
The firm’s client portal should use SSL or another encryption;
User authentication credentials should be encrypted and additional authentication credentials should be required when accessing the website from an unfamiliar network or computer.
The cyber-insurance market is growing rapidly as firms come to grips with the costs of cyberattacks.
As with all insurance, the amount of coverage and exclusions in the policy–and the wide range in cost – are important considerations in deciding whether to buy this type of insurance. Firms may need to consider:
- Putting safeguards in place to ensure the cyber-insurance policy is not voided through actions of employees such as failure to update security;
- Whether breaches from inside the firm are covered;
- Evaluating whether the policy includes damages from theft and data loss or third-party coverage. Without such coverage a firm may have to pay for associated legal expenses, notification expenses, and remediation costs.
Cybersecurity for the insecure RIA, Investment News