CYBERSECURITY STRATEGIES - NetSuiteshopping.na1.netsuite.com/c.401329/ArgosyForms/H5521/images... · © 2016 IA Watch | 1-844-421-6333 ... 1 OCIE cybersecurity sweep letter ... IA

CYBERSECURITY STRATEGIES

to Ensure SEC Compliance

©2016 IA Watch. All Rights Reserved. P116

© 2016 IA Watch | 1-844-421-6333 | www.iawatch.com

Cybersecurity Strategies to Ensure SEC Compliance Guide

Table of Contents

Tip # Content Pages

Introduction ............................................................................................ 1

Cybersecurity Best Practices and Guidance

1 Cybersecurity demands constant vigilance but even it won’t guarantee tranquility ........................................................... 5

2 From checking on vendors to segmenting your systems, steps to take at your firm ................................................................ 7

3 You needn’t be perfect with cybersecurity but assess your risks fairly ............................................................................... 9

4 IOSCO study reveals tools being employed to deal with cyber risk .............................................................................. 11

5 Cybersecurity insurance market seeing gradual growth ................. 13

6 Cybersecurity advice for when you’re ready to opt for a penetration test .................................................................... 15

7 Compliance actions to take so B-Y-O-D doesn’t turn into t-r-o-u-b-l-e .................................................................... 18

8 When striving for strong cybersecurity P&Ps, be sure to keep them achievable ..................................................21

9 FFIEC provides guidance on cyber-attacks involving extortion ........................................................................23

10 Interagency working group offers tips to reduce destructive malware risks ............................................................. 24

11 Cyber exercise produces recommendations for the industry and regulators ...........................................................25

12 More cybersecurity tips: How to persuade staff to stay away from suspect e-mails ................................................26

13 Cyber-attacked adviser offers suggestions to keep your computer system safe ..................................................29

14 CCOs continue to sit mostly on the sidelines with cybersecurity at their firms .................................................... 31



15 Hackers in China suspected in the first SEC case citing adviser for poor cybersecurity............................................. 34

16 Cyber tips and resources that can help keep your system safe ................................................................. 36

17 Cybersecurity best practices suggested by the SEC’s Division of Investment Management ................................... 38

18 Cybersecurity risk must be actively managed with proactive steps .................................................................... 39

19 Practical steps to take to strengthen your firm’s cybersecurity ......................................................................41

20 IA principal moves on tackling critical cybersecurity action plan .............................................................. 44

21 Solutions for smaller advisers lacking resources to fully embrace cybersecurity ...................................................... 46

22 Guidance to help you decide if cybersecurity insurance is right for you ............................................................... 49

23 A cyber breach occurs at your firm: What do you do? .................... 52

Cybersecurity Sample Documents, Tools and Policies

1 OCIE cybersecurity sweep letter .................................................. 57

2 OCIE’s 2015 Cybersecurity Examination Initiative .......................... 67

3 A cybersecurity incident response plan ........................................ 77

4 BYOD acceptable use standard ................................................... 83

5 A remote access control P&P ...................................................... 95

6 A BYOD agreement ................................................................... 107

7 A cybersecurity due diligence questionnaire for your vendors ......117

8 A client information access policy .............................................. 121

9 A cybersecurity framework ........................................................ 125

10 An example of an IA cybersecurity plan ...................................... 129

11 OCIE’s sample cybersecurity document request letter ................ 147

12 A vVendor due diligence checklist .............................................. 155

13 A cyber vendor consulting agreement ........................................ 159

14 Examples of cybersecurity tests ................................................. 165

15 A sample cybersecurity P&P ...................................................... 169


© 2016 IA Watch | 1-844-421-6333 | www.iawatch.com 1

Introduction

Ever-increasing cybersecurity breaches and continuing threats against financial services firms require investment adviser and broker-dealer compliance and IT professionals to have a robust program in place to protect client and firm information. Your clients and regulators fully expect that you have assessed your risks and vulnerabilities, prepared for a wide-variety of scenarios, trained your employees and have concrete response plans in place in the event of an incident.

The importance of cybersecurity preparedness has been consistently driven home by the SEC. The Commission’s New York Regional Director has called cybersecurity “the issue of our time,” enforcement actions against the likes of R.T. Jones Capital and Morgan Stanley are offering up critical lessons, and an SEC commissioner has warned firms to avoid “apathy” in instituting cybersecurity protections. All while the SEC has initiated two separate exam sweeps targeting cybersecurity.

“Phase 2” Focus AreasThe “phase 2” document request letter from the SEC’s Office of Compliance Inspections and Examinations follows the six focus areas revealed in its cybersecurity risk alert released last year—governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response. But the extent of the requested materials sought may jolt you.

The new letter includes two innovations designed to make it easier for the adviser to know which documents should be sent before examiners arrive and which ones could be shared once they’re onsite. The first change is a box that’s divided in two, one side containing request items by number that should be delivered beforehand and the other side numbers that can be given onsite.

The second innovation can be found in the left margin next to each requested item. Text appears there that indicates either “provide in advance” or “make available on-site.” The letter reminds the firm that “the staff may request additional information at a later date.”

The new 8-page exam document request letter lists items under each of the Commission’s core focus areas.

1. Governance and risk assessmentThis begins with a request for the firm’s P&Ps for the “protection of customer/client records and information” as well as to “protect against anticipated threats to customer/client information.”

If the firm had a board, the examiners asked for “all Board minutes” related to cybersecurity, including “incident response planning, actual cybersecurity incidents.”



2

The SEC also wanted to know the name of the firm’s chief information security officer. “If the role does not exist, explain where the principal responsibility for overseeing cybersecurity resides within the firm,” reads the letter (our source did not want us to identify the regional office that sent the letter).

The month and year of the firm’s last cybersecurity risk assessment was requested, along with “the scope of the review.”

Examiners also asked for “a list of all penetration testing,” “a brief description of the tests and their frequency” and “a copy of the results of the most recent test.”

It would be smart to create “a sample log or report” proving your firm’s cybersecurity patch maintenance. The letter requested such documentation.

2. Access rights and controlsOf the 37 items requested in the new letter, the most (11) were found under this topic. One example, which gives you a head’s up of what you may want to have available should the cyber examiners call on your firm, was “a list of the last ten employees to leave the firm during the review period and documentation evidencing their last date of employment and the date their access to the firm’s systems was terminated.”

3. Data loss preventionOnly three items were requested in this area, including “a data map with owners identified as well as documentation evidencing the location of personally identifiable information.”

4. Vendor managementThe five items under this area included P&Ps. “If no written policies or procedures exist, please describe the firm’s processes related to vendor selection, management, and oversight.” Examiners also wanted a “list of all third-party vendors with access to the Firm’s network or data” as well as a “sample contract” and any “written contingency plans” in case a vendor filed for bankruptcy or ran into other troubles.

5. TrainingOnly two items fell under this topic, although again they suggest records you may wish to keep.

“Please identify the dates, topics, and groups of participating employees for these training events” along with “any written guidance or training materials provided” to staff, according to the letter.


© 2016 IA Watch | 1-844-421-6333 | www.iawatch.com 3

6. Incident responseSeven items can be found under this heading. Examiners wanted the firm to identify “the 25 most recent system-generated alerts ... related to data loss or sensitive information or confidential customer/client records and information.” In addition, the adviser was asked to flag alerts that “became incidents requiring further action.”

The SEC also asked for a “list of any successful unauthorized external incidents” as well as for the firm to identify “the amount of actual customer losses associated with cyber incidents.”

IA Watch’s “Cybersecurity Strategies to Ensure SEC Compliance” handbook is designed to provide you with cybersecurity best practices and guidance, as well as sample documents, tools and policies. The coverage is indicative of what can be found at IA Watch, the most authoritative source and all-in-one regulatory compliance service offering best practices, guidance and tools to help firms keep in compliance.

For additional information, or to subscribe, contact the IA Watch team at 1-888-234-7281. To take a 7-day FREE trial, visit www.IAWatch.com/FreeTrial.