Tag Archives: SEC

The SEC is Coming, The SEC is Coming!

For Financial Service firms, the message is clear.  Both FINRA and the SEC are looking over your shoulder to make sure that you are taking cyber security seriously.

And the fines are not small.  From hundreds of thousands to millions of dollars, firms big and small are getting whacked with fines.

In 2014, the SEC office of Compliance Inspections and Examinations released a risk alert describing their new initiative designed to assess cybersecurity preparedness.  Among the requirements outlined in the program are:

  • Inventory of physical devices and systems
  • Inventory of platforms and applications
  • map of network resources, connections and data flows
  • The map above to include locations where customer data is housed
  • External connections are cataloged
  • Resources are prioritized for protection based on their sensitivity and business value
  • Logging capabilities and practices are assessed
  • A written information security policy is available
  • Periodic risk assessments conducted and findings mitigated
  • Periodic physical security risk assessments are conducted
  • Cyber security roles in the company are explicitly assigned and communicated
  • A written cyber business continuity plan has been implemented
  • The firm has a CISO or equivalent

This is only part of the list.  The list goes on for 8 pages.

Check out the end of this post for a list of references to FINRA and SEC documents describing these programs.

John Stark Reed of Reed Consulting has come up with some recommendations.  While paper is 12 pages long, here is the gist of the recommendations.  A link to the paper appears below.

  1. Review overall cyber security policies for adequacy
  2. Eliminate red flags (DUH!)
  3. Create the team (Now, not after a breach)
  4. Protect against identity theft
  5. Get private (protect private data)
  6. Choose the right monitoring technology
  7. Watch out for insiders (Chase learned the hard way)
  8. Consider cyber insurance (Don’t consider it, buy it)
  9. At the first sign of trouble, investigate

There is a ton of information in the articles listed below.

If your head is swimming after reading the articles, contact outside experts (yes, that is self-serving;  we do that for financial service companies, but it is very hard to do it yourself).  I liken fixing cyber security in a running business like paving a road while you are driving on it.  Not easy.

Each year the SEC and FINRA visit more businesses and each year their examiners get more knowledgeable about cyber, so don’t think you are going to fool them.

If you start early and have an active program, you are much more likely to get a friendly reception when the examiners come to visit.

It will take quite a while to put together an entire program, so we really do recommend starting early.  It is much easier to put together a program over a year or two rather than trying to get it done in a couple of months after you get that examination report.  If you wait, not only do you have to pay someone like us, but you also have to pay the fines.

LINKS to useful articles:

Cybersecurity and Financial Firms: Bracing for the Regulatory Onslaught by John Reed Stark

SEC National Exam Program risk alert.

SEC examination sweep results summary.

FINRA Report on cyber security practices.

FINRA cyber security report with small business checklist.

SEC Fines Investment Advisor $75,000 For Breach

The SEC and Investment Adviser R.T. Jones (RTJ) came to an agreement last week regarding a breach that RTJ had.

R.T. Jones, an investment advisor in St. Louis with about 8,000 clients, has agreements with retirement plan administrators to offer investment advice to participants in those plans via the web.

To log in to the site the participant enters their name, date of birth and social security number, since that is all secret information (Hint: NOT!).  In order to do that, the information for a hundred thousand POSSIBLE users was stored on the web server, unencrypted.

The web server, hosted at a third party, had administrative rights limited to two employees (that is a good move).  Unfortunately, the server was hacked.

RTJ hired a forensics company to assess the damage.  The investigators concluded that the hack came from multiple IP addresses in mainland China, but that the logs had been destroyed and therefore, there was no way to tell what the hackers took, if anything.

This wasn’t a great outcome, so RTJ hired another firm to see if they could provide a better assessment, but they could not.  In the end, RTJ notified all 100,000 people that their information had been breached.

In hindsight it seems obvious that using your birth date and social as a login is not a great thing to do.

In addition, storing that data unencrypted was not wise, but since the administrative credentials got compromised, the outcome would have been the same whether it was encrypted or not.

The fact that they had information for all possible customers instead of only the few that chose to avail themselves of RTJ’s advice is also a problem.

As the SEC investigated, it turned out that RTJ did not have written security policies, did not conduct periodic risk assessments, did not use a firewall to protect the web server with the client data on it and other measures that would be reasonably expected.

In the end, the SEC sanctioned them, fined them $75,000 and issued a cease and desist regarding every violating rule 30 (a) of regulation S-P (safeguarding customer information).

While marketing people say that there is no such thing as bad publicity, this is probably an exception to that saying.

The bad news here is that 92,000 of the people who’s information was compromised were not even customers of RTJ.  The plan administrators had provided that information to RTJ as a service to the participants.

Some attorneys are saying that this action along with  issuing the risk alert that they issued last week marks a new age for the SEC and that they plan to more aggressively go after brokers and advisers that do not protect customer information.

Information for this post came from the SEC web site.

SEC Issues Risk Alert To Advisors and Brokers

Last week the SEC released what they call a Risk Alert to Investment Advisors and Broker-Dealers saying that they were concerned about the protection of client information because of recent attacks and attempted attacks against the financial community.

In the alert, they laid out the very particular concerns they have in 6 specific areas and said that they are going to start a Cybersecurity Examination Initiative to create better compliance.

They are not saying who is going to get one of these special surprises, how many will or when.

That being said, the focus of these examinations are applicable to almost every company.

The 6 areas are;

  1. Governance – how are you managing the cyber risk process.  Is the board and C-Suite actively involved?   How often are you doing risk assessments – things like that.
  2. Access rights and controls – are you controlling who has access to what systems and what data and how are you managing that process.
  3. Data loss prevention – monitoring information that goes out of the organization electronically to make sure that it is not going to places that it should not – like China or an employee’s personal storage.
  4. Vendor management – making sure that you are not the next Target or Home Depot – both of whom were done in by vendors who did not manage cyber security appropriately.
  5. Training – while training will not stop all attacks, poorly trained employees may make inappropriate security decisions because they do not understand the risks of their actions.
  6. Incident response –  we have seen that in some breach situations (Sony and OPM come to mind), the companies were not prepared to deal with a breach.  This can turn into a PR disaster and usually increases the cost of recovering from the breach.

So, whether you are a firm who is regulated by the SEC or not, these 6 areas are definitely a good place to start with your cyber risk assessment.  After these areas are handled you can move on to other areas.