If you’re anything like me, wrapping your head around the intricacies of the latest cybersecurity threats and the technology solutions for addressing them can seem overwhelming. Yet, the recent risk alerts published by the SEC Office of Compliance Inspections and Examinations (OCIE) and the third series of cybersecurity sweep exams conducted by OCIE hammer home the message that the SEC and other regulators continue to carefully scrutinize how advisory firms and broker-dealers identify and manage such risks.
Fortunately, understanding the fundamental tenets of cybersecurity risk management does not require an advanced computer science degree. This article will provide a user-friendly roadmap for evaluating your firm’s cybersecurity risks focusing on addressing five key W’s:
- What information must be protected.
- Where is such information.
- Who has access to such information.
- What threats does a firm face with respect to its information.
- What measures have been adopted to protect such information.
What Information Must Be Protected?
The principal goal of cybersecurity preparedness is to protect your firm’s information from theft or compromise. As such, it is vital to understand what types of information are possessed and managed by your firm before a proper risk assessment can take place. This can be accomplished by taking inventory of and mapping the types of information retained and transmitted by your firm.
Taking inventory of your firm’s information is a task that should be performed carefully as it might surprise you to learn the scope of information that is possessed by your firm. The SEC and state regulators are principally focused on the protection of clients’ personally identifiable information (e.g., contact information, Social Security number, date of birth, and information about income, assets, liabilities, employment, family members, etc.), but there are numerous other types of information housed by an investment adviser and broker-dealer, including, among other things: intellectual property; financial information; lists of clients, vendors and business partners; investment research; information regarding investment strategies and methodologies; portfolio position and transaction data; marketing plans; employment records; and user credentials for various services.
Seeking and obtaining input from senior management and the heads of business units will significantly enhance the utility of this information-gathering effort.
Once identified, the types of information should be categorized to properly evaluate the degree risk profile associated with each type of information. For instance, a second column in the spreadsheet could categorize the types of information by value to the firm by using either a numeric scale (e.g., 1 through 10) or other value level indicator (e.g., low, medium or high). Value can be assessed by using various metrics, including among other things, how likely the firm can continue to operate should such information be stolen or compromised. A third column could categorize the information by sensitivity using similar indicators. Sensitivity can be assessed using various metrics, including, among other things, the economic and/or reputational harm that could be suffered by the firm should the information be stolen or compromised.
Taking inventory in this manner will allow your firm to better evaluate the risks posed by cybercrime and the measures it must take to protect its most valuable and sensitive information.
Where Is Such Information?
Once you take inventory of and classify the types of information possessed and managed by your firm, a best practice is to map such information to understand where the risks might lie.
Information can reside in numerous places, including on a firm’s principal and backup servers, employee workstations, software, printers and any cloud environments used by the firm. When conducting this exercise, you should not only consider the principal places where such information is housed, but also any other areas where such information might reside as a result of being transmitted. For instance, even if information is being principally housed on a firm’s principal server, if such information can be downloaded to an employee’s computer and/or transmitted through email, the firm should reflect this in mapping out where such information resides.
This exercise should not only consider where such information is housed within your firm’s office environment, but also where it can be otherwise accessed. For instance, if employees can work remotely, the exercise should take into account any laptops, mobile devices and home computers where such information can be accessed.
Additionally, firms should identify any third parties, including any vendors, counterparties and business partners, if such information can be transmitted to such third parties. The mapping exercise can be conducted either by using the above-referenced spreadsheet or a separate spreadsheet.
Who Has Access to Such Information?
While cybersecurity preparedness principally focuses on unauthorized access to sensitive information, it is also important to understand who has been granted permission rights to access the firm’s information to properly evaluate the risks posed by such access. Whether by intentional misappropriation or the granting of inadvertent access (e.g., clicking on an unwanted attachment), employees’ actions can result in significant harm to an organization.
Firms can track employee access to firm information through the use of a separate spreadsheet.
The first column can identify each employee or contractor, and, ideally, any third parties (e.g., vendors) to whom access to the firm’s information has been granted. A second column can detail the duties and responsibilities assigned to the persons identified in the first column. The third column can identify any changes in such duties and responsibilities since the spreadsheet was last reviewed.
The fourth column can discuss the specific types of information that are accessible to the persons identified in the first column. The fifth column can delineate what, if any, restrictions are imposed on such person’s access to such information.
A sixth column could identify any prophylactic measures the firm has adopted to protect itself where access to information has been granted to employees or third parties. (For employees, the firm could detail the types of training the employee has received with respect to the protection of information to which the employee has been granted access. If the party receiving access is a vendor or other third party, the firm could detail the types of due diligence conducted on such third party to verify that the firm’s information is being adequately protected.)
This spreadsheet should be regularly updated as relationships between a firm, on the one hand, and its employees and vendors, on the other hand, can evolve significantly over time.
What Threats Does a Firm Face With Respect to Its Information?
The first three steps outlined above lay the groundwork for the next step, which is conducting the actual risk assessment.
In a separate spreadsheet, a firm can detail the specific risks posed. This can be done in the first column of the spreadsheet. For instance, a firm might list risks from malware (e.g., viruses, worms and ransomware), email phishing attacks, distributed denial of service (DDoS) attacks, inadvertent employee conduct, employee theft of information, and theft of devices containing firm information.
The next two columns can help the firm evaluate the level of risk posed with respect to the risks described in the first column. In the second column, the firm can consider the potential impact on the firm if the risk comes to fruition by using a numeric scale or other risk indicator. The third column can outline the likelihood of the risk materializing using similar risk indicators.
Performing these steps will significantly assist your firm in determining how to allocate time and resources to addressing specific cybersecurity risks.
What Measures Have Been Adopted to Protect Such Information?
Once the risks and their degree of importance have been identified, a firm can evaluate its existing cybersecurity preparedness measures and determine whether any adjustments must be made to better protect the firm’s information. This can be done by using the risk assessment spreadsheet described in the previous section.
In the fourth column, the firm can identify the measures it has taken to address the risks outlined in the first column. For instance, if the risk of malware has been identified, the firm might point to the use of antivirus software or software patches if those measures have been implemented. If the risk of email phishing attacks has been identified, the firm could point to training of employees on email practices if proper training has been conducted. If the firm is concerned about the theft of laptops, smartphones or other mobile devices where sensitive information is held, the firm could point to the use of encryption, strong passwords and remote wiping capabilities if implemented.
In the fifth column, the firm should identify its existing policies and procedures with respect to addressing the specific risks identified in the first column. This will allow the firm to evaluate whether its actual practices are in line with its stated policies and procedures. If the practices and policies are not aligned, the firm must consider modifying either the practices or its policies and procedures.
The sixth column can identify the department or person(s) responsible for ensuring that the policies and procedures are being properly followed, which will ensure that the responsibility for managing the delineated risk does not fall through the cracks.
The seventh column can identify any changes in the firm’s business, applicable laws and regulations, or other circumstances that impact its cybersecurity preparedness.
The eighth column can identify any recommended changes to the firm’s practices and/or policies and procedures as following a review of the firm’s cybersecurity preparedness efforts.
While cybersecurity preparedness can seem elusive given the ever-changing threat environment, the above approach can go a long way toward mitigating the likelihood and impact of any cyberattack. It bears repeating that any such risk assessment should be revisited regularly to ensure that the firm continues to adapt its cybersecurity risk management efforts as circumstances change.
The foregoing information is provided for informational purposes only and does not constitute legal advice. Readers should consult an attorney if they require advice regarding their particular circumstances. If you have any questions, please do not hesitate to contact us.