Last week, the SEC’s Office of Compliance, Examinations and Inspections (“OCIE”) released its third cybersecurity National Examination Program Risk Alert (the “September Alert”) inside of eighteen months, heralding in a second round of cybersecurity sweeps and greater general examination focus on the issue.
Moreover, with these alerts the SEC is effectively developing best practices guidelines for financial services firms and a failure to adhere to them may expose a firm to increased litigation risk as well. The SEC’s focus on the active engagement of boards in the monitoring of information security programs underscores the increasing need for financial services firms, particularly those that hold retail or non-institutional customer accounts, to ensure that cybersecurity expertise is a represented skill set on their boards.
Broadly, the September Alert covers:
• Governance and Risk Assessments
• Access Rights and Controls
• Data Loss Prevention
• Vendor Management
• Incident Response
This piece will address how the SEC’s approach to cybersecurity has evolved since last April’s Risk Alert (the “2014 Alert”) and not cover all the areas raised in that alert. Additionally, the need for documenting compliance is emphasized throughout the September Alert and firms, particularly those that do not have a Chief Information Security Officer, need to be careful that their technology functions (whether outsourced or managed by a CTO/CIO) are adequately documenting their information security prevention and detection practices, in addition to their information security policies and procedures.
Governance and Risk Assessment
Both board level engagement (noted above) and management accountability are newer themes raised in this Alert. Greater emphasis is also placed on a firm’s formal risk assessment process and the weighting of the various risks identified therein. Vulnerability scans and penetration testing are also, and rightfully, a recurring SEC theme.
Access Rights and Controls
The SEC has broadened its focus from customer access in the 2014 Alert to internal as well as external access controls. The SEC is fairly prescriptive here respecting the auditable data points that firms need to monitor and track, such as changes in access rights resulting from terminations of service or changing roles, as well as tracking how long it takes for such changes to be adjusted thereafter. Access requests, even password resets, must occur in accordance with defined and monitored processes. Moreover, the SEC anticipates that firms will have the ability to track breaches or attempted breaches of data access rights, particularly those relating to confidential information, by developing network behavior baselines that are monitored for anomalies.
The SEC has shifted its lexicon from “authentication” to “multi-factor authentication” respecting access controls. Further, firms will need to have a risk assessment process for determining which systems do and do not require multi-factor authentication. What’s next, exponential authentication? Maybe, consider biochronometrics .
The SEC also raises the need for firms to consider implementing a Mobile Device Policy and justify its decision if it does not implement one. This policy, to the extent not addressed elsewhere, will need to address encryption, access controls, tracking, acceptable use, as well as deactivation of mobile devices.
With regards to responding to customer issues, the SEC appears to be moving away from an expectation that firms will have policies for addressing cyberattack loss responsibilities and toward expecting firms to retain and log their response to customer complaints. Both alerts focus on cybersecurity insurance and it seems apparent that many firms, particularly those who hold non-institutional accounts, are effectively required to either contract for cybersecurity insurance coverage or self-insure.
Data Loss Prevention
In the summary of this section, OCIE leads with patch management and configuration policies. The failure of firms to implement sufficient controls in these areas will be easy for examiners to identify and cite firms for. Additionally, such failures are a clear signal to examiners that a firm’s enforcement of information security policies is deficient.
Notably, both in the summary and the appendix to the September Alert, the SEC has pivoted their focus away from the protection of systems towards the protection of data. This does not mean that system protection is not important, but rather that the SEC is recognizing than even secure systems will experience unidentified vulnerabilities that can impact sensitive data and therefore, firms need to contemplate such failures in devising their preventative and detective controls. The importance of this point is highlighted throughout the September Alert, particularly with regards to the need to implement controls to detect and respond to the exfiltration and unauthorized distribution of data.
Data classifications, the mapping of such classifications across internal and external systems and the assessment of risks in making such classifications, are all raised as expected data loss prevention controls and highlight the need for heightened understanding of the firm’s security controls surrounding data processing.
Vendor Management and Training
Both the 2014 Alert and the September Alert focused on due diligence, contractual requirements and monitoring of vendors. New to the September Alert are requests for any information security risk assessments that a firm’s vendors have performed; performance statistics and any other reports provided by vendors handling sensitive information; and the change management program respecting changes that could have a security impact on the firm or the firm’s sensitive data. Further, the SEC requests information related to a firm’s contingency plans for those vendors providing services linked to the security of sensitive data.
Many of the same themes raised in the 2014 Alert with regards to training are raised in the September Alert. This continues to be an important area, as even secure systems fall victim to inadvertent breaches caused by staff members.
In the 2014 Alert, the SEC focused on incident detection, response and remediation. The current alert also focuses on these points but puts a finer point on monitoring for the loss of sensitive information (as noted above) as well as on regular testing of the incident response plan (much like firms might test their business continuity plans). Specifically, firms should consider engaging in table top exercises that involve vendors as well as internal staff. Equally important is extending this testing to the identification of the incident’s causes, including what logs and alerts will be reviewed.
This will not be the last risk alert relating to information security and is indicative of an increased focus that financial regulators will continue to have on systems compliance and integrity generally. Whether or not they are adequately prepared at the moment, technology risk is a rapidly growing area for financial regulators and their approach to information security will inform the regulatory approach of regulators respecting technology risk for years to come.