Who’s minding the store?
Determining who is responsible for the cyber-security role within a firm’s workforce is another concern of the regulator. Some large firms may have a chief information security officer or equivalent position. "You don’t have to hire someone additionally. There needs to be a person identified that is the key escalation person or responsible [party] for the risk assessment," says Mary Beth Hamilton, VP of Eze Castle Integration.
While larger firms may have a chief information security officer, or CISO, in smaller hedge funds, the responsibility often falls to the compliance officer.
"On the technology side, it’s definitely a size of shop, size of complexity issue," says Noland Cheng, managing partner of C&A Consulting, which specializes in technology, operational risk, finance, and operations. "Even some of the larger organizations with $20 to $30 billion-plus under management, I don’t know if they have a chief information security officer," says Cheng, who notes that’s more common with large banks and brokerage firms.
In large investment management firms, the top of the pyramid is the CTO and the second person on the tech side is the manager of infrastructure, who takes care of the network, mobile devices, and the firewall, he says.
A more formalized information security plan is needed because hackers, organized criminals, and nation-states are continually trying to infiltrate networks, inject malware, and steal data. "There’s a lot of bad people out there trying to figure out how to break into firms, and bad things can happen. The SEC is sending a signal to firms to make sure you have coverage," Cheng says.
On that front, the SEC also wants firms to disclose if they’ve had previous security incidents or attacks. But will firms answer truthfully since that could scare customers and damage their reputation?
"Everyone has had some type of malware or virus show up on some type of computer at some point," says Schoener. "It’s not necessarily the biggest deal," he says. On the other hand, if a list of investors’ names, addresses, and Social Security numbers is taken, you probably have an obligation to report that to someone, says Schoener. As part of the written policy, firms will identify key stakeholders that need to be notified in case of a security incident and at what escalation point they need to notify a regulator, notes Hamilton.
But even if financial firms have these policies and controls in place, certain practices expose them to risk. "Studies show that basic desktop software like Adobe Flash, PowerPoint, and Word present the most risk," says Naraine of Kaspersky Lab. If brokers have computer systems minding very sensitive data, they should never use Adobe Flash or Java or Facebook, or do any sort of web browsing on the same machine, he says. It may take four to six weeks to apply a patch to what is a critical vulnerability, he adds.
Since brokers use proprietary software systems, the type of sophisticated software attacks are generally never seen, Naraine points out. "That’s the scariest thing, that attacks are happening and no one knows," he says. "[The attacks] are also capable of stealing all your spreadsheets and all your customer data."
But firms are using technology to fight data breaches. In the case of mobile devices, firms that have a bring-your-own-device policy now insist they have control over the part of the phone that is accessing the firm’s voice and email systems through mobile device management applications, says Cheng. "If someone loses the phone, someone can push a button and wipe the phone clean," he says. "It’s not just writing a policy; the writing translates into technology enablement."
Looking ahead, some experts suggest that the SEC’s new cyber-security guidelines could evolve into a new compliance regulation for securities and investment firms. Right now, they’re testing the waters to see if firms have proper control in place.