Today’s cybersecurity threats target all parts of the network and nearly every device attached to it, making the potential threat landscape virtually boundless. When you pair technically skilled criminals with the attractiveness of financial data, trying to keep information safe is a constant battle. With this in mind, organizations like the SEC and FINRA have developed initiatives to help guide the financial services industry towards success, and at the same time, to also hold breached organizations accountable if they were inadequately prepared.
SEC Chair Mary Jo White said, “Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks.”
The SEC’s Office of Compliance Inspections and Examinations (OCIE) has put the Cybersecurity Examination Initiative in place, which outlines a series of examinations they look for “to promote better compliance practices and inform the Commission’s understanding of cybersecurity preparedness.”
Let’s take a closer look at some of these examinations to get a better understanding of how cybersecurity solutions can assist financial services organizations meet requirements and stay compliant.
Governance and Risk Assessment
What examiners look for: “Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below. Examiners also may assess whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business. Examiners also may review the level of communication to, and involvement of, senior management and boards of directors.”
How cybersecurity solutions can help: Effective cybersecurity solutions have the ability to analyze an organization’s network traffic and identify areas of actual or potential compromise. Doing this across hundreds of devices and users allows enterprises to compile a comprehensive report filled with valuable data. This information can provide insight into vulnerabilities and the current threat landscape, and allow organizations to establish a blueprint for reducing attacks.
Access Rights and Controls
What examiners look for: “Firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes. Examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.”
How cybersecurity solutions can help: Static passwords can be easily compromised, which often leads to breaches. Today’s cybersecurity solutions must enable such things as two-factor authentication for accessing protected networks, ensure that access points are properly secured, appropriately segment traffic once it has been authenticated, and constantly monitor traffic and devices to detect changes in behavior. Secured network access needs to span the entire infrastructure, including cloud environments, and should also include single-sign on, captive portal authentication, device onboarding, and social login options.
Data Loss Prevention
What examiners look for: “Some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration. Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners also may assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.”
How cybersecurity solutions can help: Data loss prevention (DLP) solutions are part of the larger cybersecurity ecosystem, and they primarily monitor internal network data (rather than threats from outside sources.) DLP’s effectiveness is rooted in its ability to identify documents that house sensitive data and block them from leaving the network. DLPs archive a record of the content that matches their rules, which is then used to identify future leakage risks.
What examiners look for: “Without proper training, employees and vendors may put a firm’s data at risk. Examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior. Examiners also may review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.”
How cybersecurity solutions can help: Cybersecurity solutions can help reduce threats, but they can’t eliminate employee negligence. IT security teams in financial services need to put training programs in place to educate the workforce on the latest threats and organizational procedures. For organizations that utilize cybersecurity solutions, they should also educate their workforce on how to use them. Many cybersecurity providers offer training and assessments to get customers, partners, and employees up to speed.
What examiners look for: “Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. This includes determining which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm.”
How cybersecurity solutions can help: Many cybersecurity vendors offer advanced threat protection (ATP) solutions, which operate by preventing (blocking known threats), detecting (uncover previously unknown threats), and mitigating threats (stopping them and then applying rules across all layers). While there is no way to stop every threat, financial services organizations need to adopt solutions that will help them keep pace with the complex and adaptive threats of today.
As the SEC and other organizations continue to establish initiatives to keep financial data safe, organizations need to make sure they are keeping pace. Failing to adhere to regulations could result in significant reputational setbacks and monetary fines and losses.
Let’s get a conversation going on Twitter! How is your organization keeping pace with the latest expectations for securing financial data?