Financial Regulatory Forum

INSIGHT: SEC cyber-risk exam guidelines set template for firms

By Guest Contributor
May 6, 2014

By Abel Picardi, Compliance Complete

NEW YORK, May 6, 2014 (Thomson Reuters Accelus) - As the U.S. Securities and Exchange Commission tightens its supervision of technology security on Wall Street, with plans to examine cybersecurity preparedness at more than 50 broker-dealers and investment advisers, the agency has released a checklist intended to help firms review their controls whether or not they come into the crosshairs of examiners.

The move is in keeping with a cybersecurity push by SEC Chair Mary Jo White, as well as principles outlined in February by the National Institute of Standards and Technology.

Release of the cybersecurity exam checklist by the SEC’s Office of Compliance Inspections and Examinations (OCIE) follows an SEC roundtable on cybersecurity held last month. At that meeting, White emphasized the importance of protecting market integrity and customer data from cyber threats, and called for stronger partnerships between the government and private sector.

Nevertheless, the SEC has also come under criticism from a government monitor for lapses in its own internal cyber controls.

The following summary and review of the OCIE’s examination checklist can help firms shape their own strategies for developing preventive controls as well as meeting regulatory scrutiny. The checklist focuses on seven areas:

  1. The entity’s cybersecurity governance. The examiners will ask the firm for written evidence of any action taken relating to managing cybersecurity practices, the frequency with which such practices are conducted, the group responsible for conducting the practice; and, if not conducted firmwide, the areas that are included within the practice. The examiners will also request for copies of any relevant policies and procedures relating to cybersecurity.
  2. Identification and assessment of cybersecurity risks. Examiners will focus on the firm’s initiatives addressing the following:
    • Inventory of physical devices and systems;
    • Inventory of software platforms and applications;
    • Maps of network resources, connections, and data flows (including locations where customer’s information is housed);
    • Cataloging of connections to the firm’s network from external sources;
    • Protection priorities of resources (hardware, data, and software) based on their sensitivity and business value;
    • The adequacy, retention and secure maintenance of logging capabilities and practices.
  3. Protection of networks and information – the firm must identify any published cybersecurity risk management process standards, such as those issued by the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO), which were used to model its information security architecture and processes. Documented practices needed to demonstrate this include:
    • Written guidance and periodic training for employees concerning information security risks and responsibilities.
    • Maintenance of controls to prevent unauthorized escalation of user privileges and lateral movement among network resources. User restrictions are applied to network resources necessary for the business functions and the firm is to maintain an environment for testing and development of software and applications that is separate from its business environment.
    • The firm maintains a baseline configuration of hardware and software, and users are prevented from altering that environment without authorization and an assessment of security implications. Also, there is a process to manage IT assets through removal, transfers, and disposition.
    • A process for ensuring regular system maintenance, including timely installation of software patches that address security vulnerabilities.
    • Information security policies and training to address removable and mobile media, and controls to secure removable and portable media against malware and data leakage.
    • Written policies on data destruction and cybersecurity incident response, and conduct of tests or exercises to assess the firm’s incident response policy.
    • Periodic tests of the functionality of a firm’s backup systems and periodic audits for compliance with the information security policies.
    • Use of encryption technology, including an indication of which categories of data, communications and devices are encrypted.
  4. Risks associated with remote customer access and funds transfer requests, such as for customers with on-line account access. The following information must be accessible:
    • The name of any third party or parties that manage the service;
    • The functionality for customers on the platform (e.g., balance inquiries, address and contact information changes, beneficiary changes, transfers among the customer’s accounts, withdrawals or other external transfers of funds);
    • How customers are authenticated for on-line account access and transactions. Information must include any software or other practice employed for detecting anomalous transaction requests that may be the result of compromised customer account access.
    • A description of any security measures used to protect customer PINs stored on the site, and any information given to customers about reducing cybersecurity risks in conducting business with the firm, and policies for addressing responsibility for losses associated with attacks or intrusions affecting customers.
  5. Risks associated with vendors and other third parties. Evidence must be available for examiners’ review involving:
    • Cybersecurity risk assessments of vendors and business partners with access to the firm’s networks, customer data, or other sensitive information, or due to the cybersecurity risk of the outsourced function.
    • Requirements relating to cybersecurity risk provisions in contracts with vendors and business partners. This includes training materials on information security procedures, and descriptions of responsibilities for training for vendors and business partners authorized to access its network.
    • Assessments of the segregation of sensitive network resources from resources accessible to third parties. If vendors, business partners, or other third parties conduct remote maintenance of the firm’s networks and devices, a firm must document approval and logging processes, or controls to prevent unauthorized access.
  6. Detection of unauthorized activity. Descriptions are needed on:
    • Identifying and assigning specific responsibilities, by job function, for detecting and reporting suspected unauthorized activity.
    • Maintaining baseline information about expected events on the rirm’s network.
    • Aggregating and correlating event data from multiple sources, and establishing written incident alert thresholds.
    • Monitoring the firm’s network and physical environment to detect potential cybersecurity events and for the presence of unauthorized users, devices, connections, and software on the firm’s networks.
    • Using software to detect malicious code on firm networks and mobile devices, and evaluating remotely-initiated requests for transfers of customer assets to identify anomalous and potentially fraudulent requests.
    • Using data loss prevention software and conducting penetration tests and vulnerability scans and testing the reliability of event detection processes, and using the analysis of events to improve the Firm’s defensive measures and policies.
  7. Experiences with certain cybersecurity threats. Reports of any threats that the firm has experienced and the impact to the business should include:
    • Incident descriptions covering the extent of losses incurred, customer information accessed, or firm services impacted. The date of the incident; the date the incident was discovered and the remediation for such incident should be provided.
    • Descriptions of any malware that was detected on one or more firm devices.
    • Instances when access to a firm web site or network resource was blocked or impaired by a denial of service attack. The service affected, and the nature and length of the impairment should be identified.
    • Impairment of a critical firm web or network resource due to a software or hardware malfunction, and how it was remediated.
    • The use of a compromised customer or vendor computer to remotely access the firm’s network, resulting in fraudulent activity, such as a transfer funds from a customer account or the submission of fraudulent payment requests purportedly on behalf of a vendor.
    • The receipt of fraudulent emails, purportedly from customers, seeking to direct transfers of customer funds or securities.
    • The use by an employee or other authorized user of the firm’s network resulting in the misappropriation of funds, securities, sensitive customer or firm information, or damage to the firm’s network or data.

Weaknesses in SEC internal controls

The cybersecurity initiative came as the SEC received from its auditor, the Government Accountability Office (GAO), a critical report finding serious weaknesses in its own internal controls over financial systems and data.

The information security weaknesses existed, in part, because SEC did not effectively oversee and manage the implementation of information security controls during the migration of a key financial system to a new location, the GAO said. 

Lapses in the migration process cited by the GAO included failures to consistently protect the SEC’s system boundary from possible intrusions, to securely configure the system at its new data center according to its configuration baseline requirements or consistently apply software patches intended to fix vulnerabilities. It also failed to adequately segregate its development and production computing environments and ensure redundancy of a critical server, the GAO said.

The SEC relies extensively on computerized systems that collect and process financial and sensitive information, the GAO said. Until the SEC mitigates control deficiencies and strengthens the implementation of its security program, its financial information and systems may be exposed to unauthorized disclosure, modification, use, and disruption, the GAO said.

Conclusion

Pursuant to the Securities Act of 1933 and the Securities Exchange Act of 1934, publicly-owned companies are required to provide timely, comprehensive and accurate information about risks and events that a reasonable investor would consider important to an investment decision. In light of the increased use of digital technologies in commerce and recent high-profile data breach and cybersecurity related events, the SEC decided to provide guidance regarding the applicable factors that financial firms must consider about cybersecurity matters in light of a company’s specific facts and circumstances.

The OCIE’s examination checklist is intended to highlight the risks and issues that firms should consider to assess compliance with their own internal security framework and to help identify areas that need improvement.

(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)

Post Your Comment

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
  •