FAQs From the Cyber Desk
Cybersecurity is a fast-moving target, so it is not uncommon for firms to have questions when it comes to assessing and understanding their cybersecurity risks. Here at CSS we receive a lot of cybersecurity questions, so we thought we would take the time to answer 10 of the most common Frequently Asked Questions.
(1) What is a vulnerability? What is the difference between “vulnerability scanning” and “penetration testing”? How often is this type of testing performed?
A vulnerability is a flaw that can be exploited by hackers to gain access to company systems. Vulnerability scanning is a testing method that attempts to locate any flaws on existing systems.
Penetration testing goes a step further and attempts to exploit those vulnerabilities discovered in a vulnerability scan to gain access to systems. While the SEC has not mandated a specific testing frequency, we have seen much of our client base in financial services settle on performing vulnerability scanning quarterly and performing penetration testing annually. It is recommended that a penetration test also be performed after any major changes to a network infrastructure are implemented.
(2) What is the “dark web”?
Only a small percentage of all content is publicly available on the Internet. The majority of Internet-based content exists in the “deep web” – content which is stored in forms, databases, social media sites, and other forums, and is generally not indexed by common web browsers. A subset of the deep web’s hidden content is what is known as the “dark web.” The dark web requires special anonymized browsers to access and is often used for illicit purposes, including selling stolen or compromised account credentials such as usernames and passwords. It is here on the dark web that we monitor for compromised credentials for our clients.
(3) What is Multi-Factor Authentication (MFA) and why is it important?
Multi-factor authentication (MFA) is a security practice that requires users to combine something they know with something they have to confirm their identity. In practice, the something you know would typically be an account password, and the something you have is associated with a physical device – either a unique one-time password that displays on a keychain token at timed intervals or a unique code that is provided from a mobile device in the user’s possession. The use of biometrics is another form of MFA which typically uses a fingerprint or retinal scan as the second factor.
(4) Is my vendor SEC-compliant / FINRA-compliant?
As a general matter, regulators do not take a position as to whether a particular vendor you are using is compliant. Technology vendors that store electronic records for broker-dealers do need to ensure that their record retention is WORM-compliant (e.g. the records cannot be deleted or overwritten) to adhere to SEC Exchange Act Rule 17a-4. As far as the reasonableness of the controls of other service providers to SEC-registered firms, the SEC expects firms to implement a robust vendor due diligence process reasonably designed to assess the vendors’ safeguards for data entrusted to them. Vendor due diligence should be conducted initially and periodically thereafter for critical vendors and service providers. So, the SEC and FINRA are not likely to tell firms that their vendors are noncompliant; rather, they may opine on the adequacy of your oversight of such vendors.
(5) Cybersecurity attacks: events/incidents versus data breaches?
The distinction between cybersecurity events/incidents and data breaches is important. A cybersecurity event/incident occurs when information has been compromised, or there has been an attempt at such compromise, resulting in the potential exposure of such information. A data breach, on the other hand, occurs when the actual disclosure of compromised information has been confirmed. Cybersecurity events/incidents should not be classified or referred to as breaches until proper legal and forensic analysis has been performed, as a “data breach” is typically a reportable compliance issue under state data breach notification regulations.
(6) What is a phishing attack?
Phishing attacks are attempts perpetuated through email to gain information, such as usernames, passwords, and credit card information, from unwitting people. Examples of phishing attacks are emails claiming that a person’s account password needs to be reset immediately or that there has been suspicious activity related to a bank account or credit card. Unsuspecting people provide the login credentials to these accounts and attackers have all the information they need to do damage. Phishing attacks can also be in the form of an attacker representing themselves as a C-level executive asking an employee to do something for them while they are “out of the office and unavailable by phone,” such as purchasing gift cards. The best defenses against phishing attacks are to conduct simulated phishing campaigns against your own staff to see how they fare, and to reinforce such concepts with regular security awareness training.
(7) What are the costs of a cybersecurity attack?
According to the 2019 Cost of a Data Breach Report published by IBM and the Ponemon Institute, the average cost of a data breach across the globe is $3.92 million. In the United States alone, the average cost of a data breach is more than double the global average, with a cost of $8.19 million. There are many factors people may not immediately associate with a data breach that drive the cost into the multiple millions of dollars, including increases in insurance premiums, business disruptions, loss of intellectual property and long-term losses related to reputational damages. Forensics investigation costs and legal costs associated with breach reporting contribute to a substantial part of the average price tag of a data breach.
(8) What is encryption and what information should be encrypted?
Encryption can be thought of as converting data into a special code that requires a specific key to read the data; only authorized users possess the key. Confidential and sensitive information, such as social security numbers and financial records relating to firm operations, should be encrypted at all times. It should be noted here that email is generally not encrypted, and sensitive or confidential information should never be transmitted through email.
(9) What is the difference between data in transit and data at rest?
Data at rest refers to data that is being stored on a device, server, or backup device; information that exists and is stored but is not being used at the moment. Data in transit refers to information that is being transmitted between a computer and a server or a web browser and a web server. Login portals and online shopping websites encrypt information you exchange with the server while you’re accessing the site.
(10) What are the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA)? If I’m already in compliance with the GDPR, do I need to worry about the CCPA?
The General Data Protection Regulation (GDPR) is an EU privacy regulation covering data pertaining to individuals residing in the EU. The GDPR confers certain rights to individuals to be informed of what personal information companies collect, how it is used, and to whom it is shared, as well as rights to request corrections and deletions to such data. The California Consumer Privacy Act (CCPA) is similar to the GDPR in that it confers certain privacy rights which parallel many of those under the GDPR. However, while the GDPR is applicable to personal information about individuals in the EU, the CCPA is applicable to personal information of California residents and includes an exemption for certain data covered under the Gramm-Leach-Bliley Act. As such, compliance with GDPR likely means that a firm has the operational capabilities to handle data access requests but does not imply that the firm is fully compliant with requirements under the CCPA.
We hope this helps, and if you have a burning cybersecurity question you would like us to answer, please send your questions to firstname.lastname@example.org and our cyber experts will look to tackle the next round of FAQs in a future blog post.
Subscribe to the CSS Blog
CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.