Cybersecurity Best Practices
Main Contributor: Gretchen Sturdivan, CSCP, Creative Director & Compliance Manager
Background
No matter your advisory firm or fund’s size, maintaining a cybersecurity program does not require access to unlimited financial and technical resources. We know that when resources are limited though, it might feel impossible to tackle cybersecurity, as it feels overwhelming. You might be asking yourself where to start, which elements must be addressed, and who will manage it all. However, that’s actually the best place to start, and not asking these questions could result in an underdeveloped cybersecurity program, allowing critical vulnerabilities to go undetected and client data to be at risk.
The SEC has been focused on cybersecurity for quite some time, which does not go unnoticed on page 15 of their 2022 Examination Priorities as well as in the new rule proposal, which is theoretically set to go into effect in April of 2023. When the final rule goes into effect, no one will be immune from having some semblance of a cybersecurity program and annual review in place, yet many may currently feel unprepared to deal with such structured requirements.
In light of the increased focus and rule changes on the horizon, we reached out to our colleague Simon Eyre with Drawbridge, who provided a wealth of information regarding the fundamental cybersecurity elements an adviser or fund of any size should have in place to protect their firm. We’ve compiled that information into digestible chunks within this article and hope that it serves as a starting point to implement some basic controls or perhaps functions as confirmation that you have the basic elements in place to help protect your firm.
Cybersecurity Risk Assessments
If you take anything away from this article, then understand that the key is taking a risk-based approach to generating your cybersecurity program. In fact, every element you implement should be a direct reflection of the Risk Assessment. We already know risk assessments to be critical in identifying gaps within your compliance program. At SCS, we use risk assessments to inform policy updates and areas that require forensic testing, so it should come as no surprise that they would also inform your biggest cybersecurity gaps that will need to be addressed.
The risk assessment should follow the data. Simon has suggested creating a physical, visual data map, to obtain a true understanding of where the data is flowing. You will need to understand how the data is coming in, where it lives, and where it’s going. This will inform your risk assessment and then you will understand the controls you need to have in place to protect your data.
Policy Basics
Your cybersecurity policies should be informed by your risk assessment and please know that these should NOT be static policies. They should be reconsidered no less than annually and updated as necessary.
When generating your policies, keep in mind the basic elements to generate procedures around:
Define the security settings in place for your system and network.
Define your vendor due diligence process that is in place to ensure data security with a third party.
Define how you identify and record essential data for regular backups.
Define your password policy.
Determine the access controls that are in place and ensure employees can only access the information and systems required for their role.
Define the frequency of employee training and the topics you cover.
Include best practices that employees should follow in their day-to-day life.
Describe the mobile device management you have in place and the procedures in place if a device is lost or stolen.
Define an incident response plan in the event of a cybersecurity incident. This should include action for remediation and how it gets reported.
Another key element to an effective cybersecurity program is a solid and reasonably designed Business Continuity Plan (“BCP”). If you are a small firm and not sure where to start with your BCP, Simon suggests focusing on establishing a timeline of when business functions would become critical (i.e., how long can you be without email or your order management system?). Once you establish a timeline, describe how you would fix it or what the backup would be. Perhaps you use an application with Microsoft Office 365 that offers mail recording services, or you have another avenue to make trades through. Focus on operational resilience and make it less technologically focused. For a CCO of a small firm who wears multiple hats, you will want to make sure you have a plan in place in the event the CCO is not available, in addition to other key employees. Make sure employees are aware of the plan and can access it in the event the firm’s system goes down. And most importantly, just like your cybersecurity policies, do not treat it as a static document. Review your BCP no less than annually, test the procedures, and make sure updates are made when necessary.
Standard Technical Controls
Implementation of key services and software, such as Microsoft 365, is crucial in setting up the secure aspects of these programs. Simon discusses this in Drawbridge’s recent webinar which you can listen to here. The important thing to know is that software is not secure straight out of the box. Implementation of the security features on these platforms is the piece that matters. If someone hasn’t invested the time to set up those features, you are opening yourself up to risk.
Without too much outside assistance, there are things you should look at in order to know what security features should be set up. Look at where the data is going and where you have that documented in order to understand the risks that each platform brings to your firm and to be able to substantiate it to an examiner.
Now let’s look at some of the standard technical controls that should be in place for a firm of any size according to the National Cyber Security Centre and the FCC in order to significantly reduce the chance of becoming a victim of cybercrime:
Switch on your firewall security for your internet connection.
Ensure Wi-Fi Networks are secure, encrypted, and hidden.
Ensure Multi-Factor Authentication (“MFA”) is enabled for all cloud-based platforms, at a minimum.
Install and enable anti-virus and anti-malware software on all devices.
Ensure data is being backed up to a backup platform (i.e., a portable hard drive and/or the cloud), either by your firm, if your server is in-house or if there are redundancies by the third-party cloud provider.
If housing your own server, set automated backup periods relevant to the needs of the business.
Apply restrictions to prevent employees from downloading third-party applications or software and limit employee access to internal data and information.
Install the latest software updates on all devices and switch on automatic patching updates with periodic checks.
Ensure all applications on devices are up to date and automatic patch updates have been set to download as soon as they are released. Schedule regular manual checks on updates.
Set up encryption on all office equipment. Use products such as Bitlocker for Windows using a Trusted Platform Module (TPM) with a PIN, or FireVault (on mac OS).
Cyber Awareness Training
As with other elements of a compliance program, training is critical. Almost all cyber-attacks and breaches start with some basic human element, so to minimize risk, awareness is essential. Once you understand the elements you have in place for your cybersecurity program, ensure that all of your staff understands those elements as well. Especially in this hybrid, work-from-home environment, it’s critical that employees know when and how to report a cyber incident, how to protect client data, the technical and administrative controls they should have in place, and how to deal with phishing or ransomware. Drawbridge is also an incredible resource for outsourced training, as they are able to explain cybersecurity controls in a way that everyone can understand and make it accessible to your employees.
At a minimum, ensure you are training employees and making them aware of the following:
Where they can securely store passwords.
Ensure they understand the password policy.
Explain how to spot the obvious signs of phishing.
Explain how to report suspected phishing.
Explain the risks and controls in place that are specific to your firm.
Include the practices they should have in place when working from home to protect client data.
Explain the details of Wi-Fi hotspot vulnerabilities and how to use alternative options like a VPN or mobile network.
Conclusion
We are all compliance professionals here. We may or may not all be IT experts. Regardless, it is no longer safe to avoid addressing your firm’s cybersecurity posture. We have to break it down to the basics and think about the high-level risks to get started. Once you have these basic elements in place, your firm will be in a much better place, not only to talk to regulators when they come knocking but to also protect your firm, your clients, and your reputation in the event of a cybersecurity incident. The best defense is preparation and knowing that you have a rock-solid plan in place. It will help you sleep better at night knowing that you don’t have a massive cyber cloud of uncertainty hanging over you. Let SCS or Drawbridge know if you’d like outsourced third-party support, as those resources are always available to you to ensure your cybersecurity program is robust and ready for the proposed rule and the SEC.