Investment Adviser Cybersecurity: Principles and Effective Practices

The financial industry has traditionally been the primary target for cybercriminals and is increasingly receiving focus from the SEC, CFTC/NFA and Congress alike. [1] At the June 2015 SINET Innovation Summit, SEC Commissioner Luis A. Aguilar characterized cybersecurity as “one of the defining issues of our time.” [2] In testimony provided during a June 2015 Congressional hearing, it was revealed that one major U.S. bank was recently subjected to 30,000 cyberattacks in a single week, which amounted to a new attack every 34 seconds. [3]

In light of the SEC’s increased focus on cybersecurity, [4] investment advisers should review their cybersecurity framework and develop a strategy and compliance policies tailored to their particular business. Although there is no “one size fits all” approach, firms may consider adopting and tailoring the following principles and effective practices as they develop their cybersecurity strategy: [5]

Governance and Risk Management:

• Define a governance framework appropriate for the firm’s size and risk exposure, including an information security policy and an explanation of compliance requirements (including compliance with SEC, NFA and other relevant legal requirements, as applicable). [6]
• Engage senior management and the board on cybersecurity issues.
• Consider appropriate allocation of resources to manage cybersecurity risks.
• Evaluate frameworks and technical standards. [7]

Cybersecurity Risk Assessment:

• Assess and evaluate supervisory, compliance and/or other risk management systems, policies and procedures on an ongoing basis as cybersecurity threats evolve. [8]
• Review, no less frequently than annually, the adequacy of firm policies and procedures and the effectiveness of their implementation pursuant to Rule 206(4)-7 of the Investment Advisers Act of 1940.
• Identify and maintain an inventory of assets, systems and data types.
• Make appropriate changes to address or strengthen systems, policies and procedures as internal and external weaknesses are identified and new cybersecurity threats arise.

Technical Controls:

• Restrict employee access to information processing and communications facilities to those users who have a business-related need to access those files within the scope of their employment.
• Require employees to observe exclusive password access to email and voicemail and impose minimum requirements on and mandatory regular updates for such passwords.
• Ban access to personal email from firm computers and devices.
• Prohibit former personnel from accessing any firm systems.
• Encryption. Protect the confidentiality of stored data by limiting access to data to only approved users.
• Third-party penetration testing. Simulate a real-world attack against a firm’s computer systems to obtain an attacker’s perspective on security weaknesses that a firm’s technology systems may exhibit.
• Install and regularly update robust anti-virus software on the firm’s systems.
• Adopt reasonable multi-tier payment approvals to lessen the risk that external threats can trick the manager’s employees into sending money to the source of the threat.

Incident Response Planning:

• Establish policies and procedures, as well as roles and responsibilities for, escalating and responding to cybersecurity incidents, including (i) containment and mitigation; (ii) eradication and recovery; (iii) investigation; and (iv) notification to regulators/law enforcement and/or investors. [9]

Vendor Management:

• Conduct due diligence on third-party vendors and service providers.
• Request and review the vendor’s written information security program, security response plan, business continuity plan, privacy policy and the results of any security audits previously conducted by the vendor. A vendor’s response to a request for these plans and policies can often be a barometer for that vendor’s sophistication level regarding cybersecurity.
• Ask vendors to identify any subcontractors that will have access to sensitive information and request diligence material for each such subcontractor.
• Limit vendor security exposure risk by limiting the systems and sensitive data access provided to the vendor on a need-to-access basis.
• Request that vendors incorporate certain data security-related contract provisions. [10]

Employee Training:

• Implement mandatory firm-wide training sessions for employees. Some key topics covered by firms include recognizing risks, social engineering schemes and phishing, handling confidential information, password protection, escalation policies, physical security and mobile security. [11]

Cyber Intelligence and Information Sharing:

• Assign responsibility for cybersecurity intelligence gathering and analysis at the organizational and individual levels so that the firm can proactively implement measures to reduce their vulnerability to cybersecurity threats and improve their ability to protect customer and firm information.
• Participate in appropriate information sharing organizations and periodically evaluate the firm’s information-sharing partners. [12]

Cyber Insurance:

• For firms that do not have cyber insurance, evaluate whether coverage would enhance the firm’s ability to manage the financial impact of cybersecurity events.
• For firms that have cybersecurity coverage, conduct a periodic analysis of the adequacy of the coverage provided to determine if the policy and its coverage align with the firm’s risk assessment and ability to bear losses.

[1] Transcript of the U.S. Securities and Exchange Commission Cybersecurity Roundtable, 28 (Mar. 26, 2014).

[2] Transcript of Luis A. Aguilar, A Threefold Cord – Working Together to Meet the Pervasive Challenge of Cyber-Crime.

[3] Testimony of Frank J. Cilluffo, Director, Center for Cyber and Homeland Security, Before the U.S. House of Representatives, Committee on Financial Services, Subcommittee on Oversight and Investigations, 1 (June 16, 2015).

[4] See IM Guidance Update, SEC, April 2015.

[5] For more information on the SEC’s focus on cybersecurity, please refer to Investment Adviser Cybersecurity: Understanding What is at Stake and How to Prevent Cyber Attacks, Beth R. Kramer and Garrett Lynam, Chadbourne & Parke LLP - Private Funds Practice NewsWire, Fall 2014.

[6] See National Futures Association: Information Systems Security Programs – Proposed Adoption of the Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49, August 2015.

[7] The National Institute of Standards and Technology (“NIST”) has published a framework that reframes cybersecurity issues in risk management terms. See The National Institute of Standards and Technology (NIST), Framework for Improving Critical Infrastructure Cybersecurity Version 1.0.

[8] The Securities Industry and Financial Markets Association has published a helpful webpage to assist businesses establish a cybersecurity framework. See Guidance for Small Firms.

[9] The Financial Industry Regulatory Authority, Report on Cybersecurity Practices, February 2015, pp. 24.

[10] For example, request that vendor contracts provide for storage, retention and delivery of sensitive data and vendor employee access limitations, and ask vendors to identify any subcontractors that will have access to sensitive information and provide diligence material for each such subcontractor.

[11] The Financial Industry Regulatory Authority, Report on Cybersecurity Practices, February 2015, pp. 31.

[12] Although intelligence sharing by and among firms remains largely ad hoc and informal, an executive order signed by President Obama has directed the Department of Homeland Security to develop new information sharing and analysis organizations and develop common standards for the sharing of cyber threat intelligence. See Promoting Private Sector Cybersecurity Information Sharing, Exec. Order No. 13691 (Feb 20, 2015), 80 Fed. Reg. 9349.