With data breaches at an all-time high—1,093 in 2016 alone, according to the Identity Theft Resource Center—regulators have gotten religion on the cyber-security issue. Over the last two to three years, they’ve conducted surveys, updated their examination protocols and issued enforcement actions—all designed to keep financial-services professionals and their customers safe.
However, this has raised the stakes for you—the life insurance agents, financial planners, securities brokers and investment advisor representatives on the front lines—to update your business practices in order to keep the hackers at bay.
How have you responded? Are you investing more time and energy into keeping your clients’ personal information secure? Are you spending more money on security software and consultants? And perhaps most importantly, do you know what regulators are looking for when they speak of cyber-security? This brief article addresses the last question only from the perspective of the SEC. In part 2, we will discuss FINRA, as well as state regulatory challenges. For both parts, keep in mind that these are only “reader’s digest” versions of this essential, but complex, topic. For full details, check with your compliance department.
Cyber-Security Focus Sharpens at the Securities and Exchange Commission (SEC)
As the primary regulator of large registered investment advisors (more than $100 million of assets under management), it’s not hard to see why the SEC has viewed mounting financial cyber-breaches with alarm. As a result, it sponsored a Cyber-Security Roundtable in 2014, as well as announced a series of compliance examinations to better identity cyber-security risks and preparedness in the securities industry. Then in September of 2015, it published its Cyber-Security Examination Initiative to promote more stringent security practices. This document essentially gave investment advisors their marching orders in terms of how to comply with the agency’s cyber-security expectations.
If you’re an investment advisor operating under the purview of the SEC (or plan to), you may want to commit the following six cyber-security mandates to memory:
- Governance and risk assessment. This deals with key business activities designed to protect client information. The agency expects you to have appropriate controls tailored to your business in order to prevent data breaches and other violations of client confidentiality. Periodically evaluating cyber risks is also part of this expectation, as is effective communication re: cyber-risks between senior management and boards of directors. According to External IT, a financial-services IT consultant, “financial firms require an IT security program with proactive risk assessments, control implementation and monitoring and incident response. Firms need to be able to recognize and respond to a breach quickly, if one were to occur.” Risk assessments should also include penetration testing conducted either by, or on behalf of, the firm, along with vulnerability scans.
- Access rights and controls. A big part of cyber-security is having basic controls to prevent unauthorized access to systems or information. These include such things as multi-factor authentication, controls for remote data access, management of employee logins, and tiered access to confidential information. External IT recommends you be able to prove you track failed login attempts, remote access, user access reviews, along with efforts to remediate inappropriate access. Specific policies include strong password policies, the use of two-factor authentication, mobile device management, device and access monitoring, access logs for SaaS applications from non-managed devices such as home computers and tables and the use of role-based permissions.
- Data loss prevention. This involves the monitoring of data movement between employees, clients and vendors in order to identify unauthorized data transfers. According to External IT, regulators will look for proof that you (or your firm) classify data into distinct types and risk levels, while creating special procedures for tracking so-called personally identifiable information (PII). The goal is to make sure strong controls are in place to prevent inappropriate use of the riskiest data.
- Vendor management. Since some of the largest data breaches in recent history have resulted from the hacking of third-party vendor systems, the SEC is especially interested in making sure you do appropriate vendor due diligence. This involves assuring that cyber-security is an essential part of vendor selection, contract design and project supervision. The more vendor oversight, the happier the SEC will be, according to External IT. Part of this is compiling records of all the firm software and data to which vendors have access. Another key aspect is requesting and examining a vendor’s so-called SSAE 16 audit, making sure its control objectives underlying the audit meet firm expectations.
- Training. Despite your best efforts, hackers can wreck havoc on financial firms if employees are ignorant about cyber-risks and/or unable to follow sensible security practices such as safeguarding laptops while off-site, not accessing client accounts from unsecured Wi-Fi systems or opening messages or downloading attachments from an unknown source. According to External IT, your firm training should focus on how to identify malicious attachments, how to detect phishing attempts and social-engineering attacks and whom inside the firm to report suspicious or unknown activity.
- Incident response. If the worst comes to pass, the SEC wants to know you have plans in place to respond quickly to cyber-attacks or other data breach types. Sadly, most financial advisory firms lack checklists and procedures on the shelf to guide their post-event actions. External IT says delegating this to the firm’s attorney is insufficient because clients will want to know immediately if their money is at risk. Taking days or weeks to create a legal “official response” will fall way short of a desirable response in the eyes of regulators and clients. Best approach: rely on cyber-security firms with technical and governance experience who know exactly what to do in the event of a data breach.
In addition to adhering to the above cyber-security regulatory principles, don’t lose sight of two bedrock SEC rules that relate to cyber-security management: SEC Regulation S-P, Rule 30 and SEC Regulation S-ID. The former requires you to create written policies and procedures to secure the confidentiality of customer records and information. The latter is designed to prevent identity theft, requiring you to have reasonable policies and procedures for identifying red flags and detecting and responding effectively to them.
Even with all this compliance guidance on the table, investment advisors apparently have a long way to go before the SEC decides their cyber-security measures are up to snuff. That’s because in the wake of the May 2017 WannaCry ransomware attack, the SEC announced that a high percentage of advisors are failing to perform cyber-risk assessments (26 percent) and are not performing penetration or vulnerability tests (57 percent). In the current threat environment, it’s fair to say that skipping those measures puts clients at a high risk of having personal information compromised or their money stolen.
Bottom line: to meet the SEC regulatory challenge when it comes to cyber-security, if you’re doing business as an investment advisor, you can no longer do business as usual. This involves:
- Staying current on the latest regulatory expectations.
- Making cyber-security a top business (and management) priority.
- Tapping available sources of information within compliance departments, IT consultants, and regulatory examiners.
- Developing and deploying consistent staff training to avoid the most obvious security lapses that lead to data loss.
- Performing frequent cyber-security assessments and vulnerability tests.
In Part 3 of this series, we’ll address the regulatory challenges from FINRA and state investment and insurance departments.