On Friday, July 10, 2020, the SEC's Office of Compliance Inspections and Examinations (OCIE) published a cybersecurity alert warning the investment industry about the recent exponential growth in sophisticated ransomware and phishing attacks targeting SEC registrants.
In the announcement, OCIE observes a spike in sophisticated, targeted cyber-attacks and encourages broker-dealers, investment firms and investment advisors to take direct and specific actions designed to safeguard investor information, proprietary intellectual property and other digital assets and shore up its practices for monitoring and responding to internal and external cyber-related incidents.
Focus Areas for Registered Investment Advisors (RIAs)
We have summarized the salient points of the OCIE's risk alert below.
Generally, the risk alert acknowledges that there is no universal solution to cybersecurity and that any solution must be appropriately scaled to each firm. The OCIE staff then shares several observations and considerations for investment firms in connection with increasing its cybersecurity preparedness and operational efficiencies, as follows:
1. Incident response plans and resiliency procedures and policies.
- Evaluating, testing and updating these procedures periodically, such as disaster recovery and contingency plans, incident escalation, client notifications and scenario preparation.
- Align Observation: Align exercises routine testing of its internal systems, encompassing emergency notifications and remote access abilities and provides similar testing of its clients' environments.
2. Operational resiliency.
- Ensure that critical business operations and applications will withstand interruptions should an event occur, and primary systems are unavailable.
- Additionally, data should be backed up in geographically diverse locations to confirm availability during a disruption.
- Align Observation: Align works directly with its clients to ensure its critical systems and data sets are appropriately designed to achieve continuity during a disruption or disaster.
3. Cybersecurity education and training.
- Conduct cybersecurity training and mock phishing exams company-wide to help educate employees on identifying phishing emails and proper reporting protocols.
- Align Observation: Align's team has curated its own industry-specific Security Awareness Training program that is fully reportable and which includes actual phishing campaigns that mimic social engineering attacks that have successfully infiltrated investment firms.
- Empowering employees with social engineering detection knowledge and prevention techniques will allow investment firms to thwart hackers and identify social engineering scams.
4. Proactive patch management and vulnerability identification.
- Implement proactive vulnerability and patch management programs that take into consideration current risks to the technology suite, and which are conducted frequently and consistently across the technology environment.
- Align Observation: Align's Vulnerability Management solutions offer customers (i) vulnerability assessments and periodic penetration testing to enable your team to identify and better understand real-time cybersecurity threats and reduce risk; (ii) full vulnerability diagnosis of current IT infrastructure; (iii) review and assessment of existing cybersecurity policies and controls, evaluated against compliance obligations and the current legal landscape; (iv) initial IT/network assessment, evaluating present vulnerabilities and cybersecurity risk profile, providing clear and quantifiable results; and more.
- Align Observation: Align Managed Services clients enjoy complete patch management monitoring, implementation and testing protocols, coordinated around each client's schedule and workflows to ensure zero interruptions or distractions to the firms' operations.
5. Access management.
- Registrants should identify and implement appropriate access control protocols, such as employing the least privilege principle, to restrict user access rights within the organization, thus lowering its overall risk.
- Implement access management policies to limit access to sensitive business information to only those personnel that require the information to perform their job.
- As an added layer of security, companies should also utilize multi-factor authentication.
6. Perimeter security.
- Manage and monitor the ingress and egress of data, traffic and/or activity throughout the network and leverage firewalls, intrusion detection and email communication security systems.
- Align Observation: All Align Managed Services clients have the option to employ our proprietary Managed Threat Protection solution, designed specifically for investment firms, whether within a centralized or decentralized network environment and will have continued 24x7x365 monitoring by our Security Operations Center (SOC) against known and unknown threats in real-time. This enables our team to continuously monitor, detect and respond to suspicious activity in your network, safeguarding your critical infrastructure from hackers.
Please note the foregoing is provided as guidance and informational purposes only, and we invite you to reach out to our Cybersecurity Advisory Team if you have any specific questions or concerns.
- To learn more about Align's Cybersecurity Advisory Practice, visit here.
- Download the whitepaper on Cyber Security Awareness.