What Am I Looking At? Making Sense of Your Cyber Testing Reports
It’s no surprise that Compliance and IT do not speak the same language. Compliance staff often speak in terms of regulations and policies, whereas bits and bytes are the language of IT staff.
This distinction is clear when it comes to cybersecurity risk management, as the compliance and IT audiences are looking for different takeaways when reviewing cybersecurity testing reports, according to E.J. Yerzak, Director of Cyber IT Services at CSS, and Korrine Kohm, Director of Retail Wealth Manager Services at CSS, who presented on the topic at the CSS/Ascendant compliance conference in San Diego in coordination with Martin Voelk, Chief Hacking Officer of GigIT, Inc.
Their session, “The Threat is Real – Understanding Your Cyber Testing Reports,” explained various types of cybersecurity testing that many investment advisers are retaining firms to conduct, from phishing testing to vulnerability scanning to various types of penetration testing (network, web application, and Wi-Fi), as well as the difference between each testing approach. And since all cyber testing is essentially designed to assess cyber risk, the speakers discussed industry standard vulnerability frameworks such as the Common Vulnerability Scoring System (CVSS) ranking scale and the use of CVE Identifiers to uniquely identify a specific vulnerability.
Given the numerous agency regulations that now require or strongly recommend periodic cybersecurity testing and set forth specific frequencies for such testing, it is now more important than ever that compliance and IT get on the same page when it comes to understanding their firm’s cyber risk exposure, and what is being done to address those risks. Compliance need not become an IT person, but can certainly benefit from developing a good working knowledge of, and obtaining more comfort with, the different types of cyber testing, the various parts of a cyber report, and how much risk a particular vulnerability presents to the firm.
It Takes a Village – Preparing for a Regulatory Exam
Advanced planning for a regulatory exam remains a vital step in ensuring the compliance team is prepared when the exam teams comes knocking. At the recent CSS/Ascendant fall conference in San Diego, Allison Fraser moderated the conference’s capstone session on the topic, joined by Bryan Bennett, the Associate Regional Director in the examination program in the SEC’s Los Angeles regional office; Asher Ailey, Chief Legal Officer and Head of Compliance at Research Affiliates, LLC; and Genna Garver, Of Counsel and Chair of the Investment Management Group at Dorsey & Whitney LLP.
During the session, Bennett provided the audience with a background of the exam program, how the increased use of data analytics has changed the exam staff’s approach, the practice of hiring examiners with industry background, and the role of the Private Funds Unit and interaction with the regional offices.
Ailey highlighted some key steps an adviser should undertake on an ongoing basis to ensure the effectiveness of a compliance program, including periodic risk assessments, ensuring that Form ADV and other filings are current and accurate, and conducting regular employee training. Ailey also recommends conducting a mock exam to gain an independent view of the firm’s compliance program. Garver noted that the exercise of producing documents requested in a mock exam informs the firm about its ability to respond to an actual exam.
Garver highlights the importance of advanced planning of the logistics of the exam, such as designating your exam team, identifying your process for producing and tracking documents and preparing an opening presentation to provide the background of the business to the exam staff. The panel also offered these additional suggestions:
- Provide complete and accurate answers to any request or question. Be sure to ask questions if you don’t understand, and be specific as to your responses
- Be timely in your responses and communicate promptly with the staff if you identify delays in producing documents
- Make your senior personnel available during the on-site exam
- Have someone, preferably the CCO, sit in during all interviews with firm personnel
- Be professional and accommodating
- Don’t do a data dump
- Be careful about overly broad privilege claims
- Keep calm
The panel noted that most exams end in some type of deficiency finding. For each finding, identify the necessary corrective action and advise the staff of your plan. Ensure that corrective measures are completed. While an exam is stressful on an organization, effective efforts before, during and after an exam can help minimize the impact on your firm.
CSS’ investment adviser solutions include SEC mock exams. For more information, contact us.
The ‘Next Frontier’ in Investment Advice
We live in a world filled with dramatic change on a scale we’ve never seen before. The speed and magnitude of change in so many areas is fueled by technology. The sheer number of processes and functions we’re able to address simply from our phones has upended so many different industries, including travel, entertainment, and communication. The investment industry is no different.
So how does that affect us? Recent CSS/Ascendant “Decrypting Regulations” conference keynote speaker Bill Coppel of First Clearing discussed “The Next Frontier” for the industry, which will focus on the experiential rather than transactional.
Why? With the availability of information, it seems as though there is a diminishing value being placed on expertise. Anyone can present himself or herself as an expert, but providing information doesn’t necessarily equate to being an expert. Because of this, there’s been a large shift in who and what sources of information we trust. With the interconnectivity of our world, trust is being distributed across multiple sources while in the past, we used to just trust a handful of companies, people, etc.
The Next Frontier will demand that advisers focus on the experience that clients have. Advisers are in the business of cultivating their clients’ well-being and not just the rates of return. Our main source of happiness isn’t wealth, but it’s life experiences, relationships and time. Studies show these areas directly affect overall happiness, health, and longevity.
Technology is wonderful, but it demands that we as humans pay attention to the implications of it being so interwoven into our everyday lives. The investment industry cannot continue to focus on rates of return, because soon AI will be able to more efficiently manage portfolios than humans can. Instead, we should focus on the things that truly make people happy: life experiences, relationships and time.
Lessons Learned: Wargaming Your Incident Response Plan
Data breaches and cyber incidents made headlines again recently with the announcement that 50 million Facebook accounts were compromised as well as the SEC’s issuance of sanctions against a dual registrant stemming from the firm’s response to phishing attacks. So it was both timely and fitting that U.S. intelligence community veteran Jeff Welgan, Executive Director and Head of Executive Training Programs at Cybervista, kicked off the CSS compliance conference in San Diego with an interactive workshop on incident response, “Cyber Incidents and Response: Keeping Cool in the Line of Fire.”
Joining Mr. Welgan was E.J. Yerzak, Director of Cyber IT Services at CSS, who provided context for the wargaming workshop by discussing the current cybersecurity landscape. Mr. Yerzak noted that phishing continues to be the leading attack vector as people are the biggest cyber risk and even smart people can make mistakes when it comes to security awareness. In addition, malware continues to evolve as hackers try to stay one step ahead of detection capabilities.
Since it only takes one employee to compromise a firm, testing your incident response plan with tabletop exercises and wargaming under time constraints is key to avoiding complacency and maintaining the ability to think critically during a crisis. Mr. Welgan gave each attendee a very specific role to play at a fictitious firm, placing them directly in the data breach scenario as it unfolded, and challenged attendees to step outside their comfort zones in making critical decisions quickly while balancing competing business priorities and incorporating new facts.
Attendees rose to the challenge and helped navigate their fictitious firm through its incident response and recovery efforts. And in the process, the wargaming workshop revealed some helpful takeaways for firms to consider going forward, including:
- Paying a bitcoin ransom is generally not a good idea, but some firms do pay it if the cost-benefit analysis tilts in favor of that action
- Cyber incidents can rapidly increase in scope and complexity as additional facts are learned
- The costs of a cyber incident can range from financial payout (ransom) to downtime, lost productivity, forensic investigation costs, and repair and recovery costs, as noted in the SEC’s Interpretive Guidance on Cybersecurity Disclosure from Feb. 2018
Coordination of response efforts involves multiple roles and perspectives, but ultimately, someone must make a decision and be sufficiently authorized to put it in motion.
Getting Your Information Security Program Up to Scratch
In 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) reaffirmed that its examination priorities continue to include cybersecurity. Two years previously, OCIE detailed the following specific areas of focus:
- Governance and Risk Assessment
- Access Rights and Controls
- Data Loss Prevention
- Vendor Management
- Training
- Incident Response
These key areas should cover much of the cybersecurity risk that Investment Adviser (“IA”) firms will face. However, for firms with little to no experience in dealing with cybersecurity, covering the above can be a daunting task. By reviewing OCIE examination priorities and taking a step-by-step approach, a firm can create an Information Security Policy (ISP) suitable to its needs. An Information Security Policy should be a comprehensive document outlining how a firm handles matters related to cybersecurity. Everything from high-level policy to technical details will be within the Information Security Policy.
Governance And Risk Assessment
The OCIE 2015 examination priorities for governance and Risk Assessment provides as follows
“Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below. Examiners also may review the level of communication to, and involvement of, senior management and boards of directors.” – OCIE’s 2015 Cybersecurity Examination Initiative
When dealing with Governance and Risk Assessment, a firm should ask these questions:
- Does the firm handle sensitive data?
- Where is sensitive data located?
- Who can access sensitive data?
- How can sensitive data be accessed?
- Who oversees IT decisions?
Each firm will have their own share of unique risks depending on the type of IA as well as the business environment in which it operates. When evaluating risk, a firm must first identify what is at risk. In most cases, the
answer will include data.
Due Diligence for Advisers & Sub-Advisers
In an April 2003 speech by Lori Richards, the then-director of the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations mentioned one area where she believed some less-than-meticulous care has been given: the supervision of service providers and in particular, sub-advisers.
“I doubt anyone questions the need for an adviser, before contracting with a sub-adviser, to conduct an initial due diligence review into the qualifications and suitability of the sub-adviser. What is important in reviewing a potential sub-adviser though, is not just its performance “track record,” but also the compliance controls that the sub-adviser has in place in all areas of its business that will affect clients of the primary adviser. And, after the contract is signed, the adviser needs to perform due diligence on a continuing basis. On a continuing basis, the adviser must concern itself with whether the sub-adviser is, in fact, providing the level of fiduciary care that the adviser itself provides to its clients. One practice that may be effective is for the adviser to conduct compliance audits of the sub-adviser, or for the sub-adviser to provide the adviser with copies of its internal or external compliance audit reports.”
In the time since the speech, the advice about sub-adviser due diligence has only grown in importance.
What makes a registered investment adviser (“RIA”) attractive as a potential sub-adviser? At the top level, this includes key areas such as what differentiates a firm from others; what is the culture – student or master; is there a comprehensive business plan; is there an understanding of the behavior of performance; and how strong is the infrastructure: investment personnel, operations client service, and, what we will focus on in this paper, compliance. Each of these items require a separate due diligence review. If you are an RIA hoping to be hired as a sub-adviser, you need to be prepared to respond to detailed questions and provide evidence that you have memorialized your internal testing. If you are an RIA who is hiring sub-advisers, you need to have in place disciplined policies and procedures around how you will conduct your pre-hire and ongoing due diligence program.