Cybersecurity: Time’s Up!
Social engineering and ransomware continue to top the list of cybersecurity threats, according to the 2016 Verizon Data Breach Investigations Report released a few weeks ago. Alarmingly, the report shows the amount of time to compromise and exfiltrate data is measured in seconds and minutes for 28.3% of cyberattacks.
Time is of the essence when a potential incident occurs. When you have mere seconds to make a decision on how to contain and mitigate an attack, it is critical to have a robust incident response plan in place and to test it periodically to ensure that all staff know their roles and responsibilities.
Ascendant has created incident response plans for advisers of various shapes and sizes, and a key element to each one has been establishing clear lines for reporting and prompt escalation. I am thrilled that we will be featuring an interactive incident response planning session at our upcoming national compliance conference in San Diego, California in September 2016. Even firms who have adopted a solid incident response plan can benefit from incident response planning exercises – because the change in a single fact may alter the course of action you should take. But don’t take my word for it. As Verizon’s annual data breach report states, you have time. Three minutes and 45 seconds, to be exact.*
(*Median time from when a social engineering test is conducted to when the first recipient clicks to open the would-be malicious attachment).
Corporate Responsibility For Cybersecurity
Financial services are target No. 1. That was confirmed in a 2014 SEC cybersecurity roundtable when Larry Zelvin, then a top cybersecurity official of the U.S. Department of Homeland Security, laid out the agency’s rankings of the nation’s most critical infrastructures as it relates to cybersecurity.
Passwords: Long is Strong
It seems like there’s a new data breach in the news every other week. The fact is that hacking tools become more advanced everyday—and it’s hard to keep up and stay safe. Passwords today are less secure than they were just a few years ago because inexpensive processors allow sophisticated password cracking programs to run through billions of password combinations in minutes. What can you do to stay ahead of the cyber criminals and their algorithms?
Cybersecurity Breaches at Advisers: More Common Than You Think
Think cybersecurity breaches won’t happen to your firm? It may be time to reconsider. Cybersecurity breaches are becoming much more common at investment advisers than firms may realize. While the industry is certainly buzzing about cybersecurity as the latest hot button regulatory and operational risk, executives may nonetheless perceive their firms to be at low risk for a data breach —erroneously assuming that their firms are either too small to be a target, that their IT departments have the latest technology and won’t be hacked, or that their firms are too far removed from maintaining custody of physical funds or securities to have anything of value worth hacking. This false sense of security could prove costly, in terms of both financial costs and reputational harm, as the following actual incidents reveal.
The Misnomer about Cyber
When investment advisers use the cloud, they are making a conscious, informed decision to outsource tasks to vendors who may have particular expertise or infrastructure in place to handle such tasks. From hosted email archiving to compliance reporting, and from hosted backups to client communication portals, moving data to the cloud can help many firms address business needs while enabling them to focus more on their core business – providing investment advice. However, the Securities and Exchange Commission has made it clear that while financial professionals can outsource processes, they cannot delegate the ultimate responsibility for the performance of those functions. After all, it is the investment adviser who is in the trusted position of a fiduciary with respect to the adviser’s clients.
Meeting The Challenges Of Collaborative Compliance
Companies struggling with Word, Excel and other traditional applications to support compliance functions, often lack guidance when evaluating tailored software as a service.
Our main focus is on the benefits of modern software, practical functionality, and tailored content for improving business practices. In the context of compliance, these business practices are maintaining current and adaptive policies and procedures, relating these policies to risk inventories and controls, and testing the utility of such controls via collaborative checklists, with appropriate internal resources and marginal incremental costs per change.