As the world of finance enters a new age of technology, regulators such as the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) have begun to strengthen their enforcements around cybersecurity in order to mitigate emerging technological threats.
According to Cybersecurity Venture’s 2019 Official Annual Cybercrime Report, it is predicted that by 2021, the negative effects of cybercrime will cost the world more than $6 trillion (accounting for the costs of damage and destruction of data, stolen assets, lost productivity, theft of intellectual property, embezzlement, fraud, and more).
This staggering prediction reinforces the need for businesses to have a strong, sturdy, effective cybersecurity system in place to mitigate threats and protect data. However, many businesses are unprepared for a cyberattack—and are unsure of how to implement a program to fit their unique cybersecurity needs.
Wolf & Company recently hosted an informative roundtable discussing the major security and compliance issues faced in the industry today. Wolf wanted attendees to have a firm grasp on what examiners are expecting to see in their individual cybersecurity processes, and highlight resources that are currently available to help you remain compliant and adequately pass examinations.
OCIE Releases Priorities
On January 7, 2020, the Office of Compliance Inspections and Examinations (OCIE) released its list of examination priorities for the year. These priorities are published annually to provide insight into the Office’s own examination processes—telling businesses which security controls to focus on in order to mitigate the potential risks stemming from areas of high concern in the marketplace.
Based on an analysis of the reports from past and present OCIE examinations, Wolf recapped what cyber threats and protocols the OCIE examined, the results of their audits, what has gone well during the exams and what has gone poorly, and the final focuses presented from the results.
Although the new regulations, expectations, and compliance responsibilities can be overwhelming, institutions such as the National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), SEC, and FINRA have all published exceptional resources to help you navigate the bumpy road to cybersecurity compliance and optimization.
Insights from OCIE Cybersecurity Examinations
Wolf detailed the expectations set forth by examiners, such as the OCIE, looking first to the results from their 2014 Cybersecurity Examinations, then to their second round in 2016, and finally to their most recent round in 2020.
2014
This was the year that the OCIE conducted its very first cybersecurity sweep—examining 106 broker-dealers and investment advisors. After conducting the audits, the OCIE crystalized its findings and sent them to investment advisors to alert them of what was happening in the realm of cybersecurity. The focus areas published included:
• Governance and risk management
• Protection of networks and data
• Remote customer access and fund transfer requests
• Third-party risk management
• Detection of unauthorized activity
2016
The OCIE was disappointed with the lack of attention to cybersecurity that they found during their 2014 audits. So, their second round of examinations occurred in 2015, and examined 75 broker dealers, investment advisors, and funds. The results were released in 2016, and they found an overall improvement in the quality of the cybersecurity protocols in place.
After analyzing the results, the areas of focus published were:
• Governance and risk management
• Access rights and controls
• Data loss prevention
• Vendor management
• Security awareness training
• Incident response
2020
Recently, the OCIE published its 2020 focus areas, telling investors to target:
• Governance and risk management
• Access controls
• Data loss prevention
• Vendor management
• Security awareness training
• Incident response and resiliency
• Online/mobile customer access
• Hardware disposal
• Overseeing network/cloud vendors
FINRA Report on Cybersecurity
One helpful resource to guide you along the course to cybersecurity compliance is the FINRA Report on Cybersecurity. This report was released in 2018, and although much of what they listed mirrored the OCIE’s findings, this study focused more on high-risk areas and areas of concern to increase maturity of cybersecurity controls.
Specifically, the report detailed:
• Branch controls
• Phishing
• Insider threats
• Penetration testing
• Mobile devices
“Core” Cybersecurity for Small Firms
FINRA also released a smaller list of cybersecurity best practices, titled “Small Firm Cybersecurity Checklist.” This is a companion workbook for the FINRA guide and is a very useful resource to take the first step towards adequate cybersecurity.
NIST Cybersecurity Framework
Both the SEC and FINRA do not require a specific cybersecurity framework. However, FINRA does explicitly mention NIST cybersecurity standards as a good option (others include ISO 27002, NIST SP800-53, and COBIT).
NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014. The Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of infrastructure manage cybersecurity-related risk.
The Framework is a risk-based approach to managing cybersecurity risk, and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Incident Response.
Framework Core
The NIST Framework is based on five functions: identify, protect, detect, respond, and recover.
Implementation Tiers
The various implementation tiers rate the quality of security controls in place. The tiers of this rating system range from partial, to risk-informed, to repeatable, and finally, adaptive.
Incident Response
This section questions: In the inevitability of something going wrong, would we be able to respond to it well?
CIS Cybersecurity Controls
If you want to know whether you have the right controls in place to protect your data, the Center for Internet Security’s Critical Security Controls (CIS CSC) is a great tool for you. These controls are created based on community experience and focus on a smaller number of actionable controls with high-payoff.
The control groups range from basic, to foundational, to organizational—depending on the maturity of your controls system already in place. The system highlights why each control is critical, describes how to implement the control, and offers procedures and tools to help with implementation.
Penetration Testing
All of these guides and tools are excellent resources to begin building your cybersecurity framework. But, analyzing and implementing these strategies all leads up to one thing—penetration testing.
Penetration testing is one of the most critical procedures on the road to a reliable cybersecurity control system. It is an intentional attack on a computer system, performed to test its strength and security—essentially, someone is actively trying to find the weaknesses within your system, and expertly trying to exploit them.
Understanding the Terms
There are many different types of penetration testing procedures:
• Internal vs. external
• Credentialed vs. uncredentialed
• Black box vs. grey box vs. white box
• Red team/blue team/purple team
Each method has its own specific traits that cater to the various controls being evaluated, such as the internal network, web applications, or hosted/cloud systems.
Penetration testing is incredibly valuable to evaluating your security posture. You may think you’re ready to face any threats—but until you put your security to the test, you don’t really know if your walls will hold against attackers.
Conclusion
The world is moving online, meaning your methods of protection used to secure your company’s data must follow suit. Although seemingly overwhelming, creating a robust cybersecurity framework is essential. And, with the well-rounded frameworks, resources, and tools offered by organizations such as the OCIE, NIST, FINRA, and CIS, you will be able to build strong cybersecurity controls worthy of passing any examination or audit.
