Investment Management Cybersecurity Risk and Compliance in 2018

And how to align your research process, cybersecurity posture and compliance

October is national cybersecurity awareness month. Don’t worry I almost missed it too, I was busy celebrating National window coverings safety month and World pasta day.

I jest of course – continued awareness of cybersecurity is absolutely vital, and the National Cyber Security Alliance campaign to progress that is a great reason to revisit the key considerations that keep the topic firmly at the top of priority lists for our fund clients, and across the industry as a whole.

Just one year on from our cybersecurity best practice article following the Equifax, Deloitte and the SEC’s EDGAR electronic filing system hacks (you can find that piece here) we could easily write something similar about the big headlines and breaches today. But that’s not what this blog aims to do. For a look at the biggest cybersecurity stories of 2018 so far – see this excellent piece from Wired. For more on the state of investment management cybersecurity, fund best practice and, how that relates directly to your research process – read on.

The Evolution of Cybersecurity Risks and Key Examination Criteria

Since the first SEC Cybersecurity initiative was introduced back in 2014, there is now much wider acknowledgment of the investor scrutiny over cybersecurity and the need to demonstrate best practices and processes, that are under continuous review.

However it was the second round of cybersecurity examination criteria, released first in 2015, that marked the turning point for how funds must approach data management, access and controls today.

Building on the initial initiative, it looked to further assess your cybersecurity preparedness, with more testing on the implementation of a firm’s procedures and controls.

A key takeaway from this was the need to proactively monitor, measure and document your cybersecurity posture. In fact, the SEC National Exam Program Risk Alerts that have followed, all make it abundantly clear that adopting a policy, but failing to monitor the on-going implementation and effectiveness of that policy, is insufficient.

In essence, what was once considered best practice was made explicit; your ability to monitor and record all access to sensitive information is no longer optional.

The SEC and the Office of Compliance Inspections and Examinations (OCIE) continue to communicate the risks cybersecurity presents to investors and the capital markets with rigor, and focus their regulations and examination processes in line with that.

The six OCIE Cybersecurity focus areas continue to be governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.

When it comes to the guidance for Data loss prevention (DLP) and access controls in particular, funds with an integrated Research Management System (RMS) in place have a head start in meeting requirements.

In fact, with an accurate and complete digital record of data assets and user activities, it can be one of the most effective tools you have in your arsenal to help demonstrate compliance.

In Practice: Cybersecurity Policies and Your Research Process

Failure to capture the data you need to demonstrate how your fund engages with sensitive information could spell trouble for your cybersecurity posture and impending examinations. For the focus areas of access rights and controls and DLP, you must be prepared to continually monitor and evidence the following:

  • Where your sensitive information assets are located and stored.
  • Who has access to them and through what systems.
  • How sensitive data is encrypted, where and how that is applied.
  • How you manage user credentials, authentication and authorization methods.
  • Who is creating, accessing, engaging with your data assets when, via what systems and on what device.
  • Whether the device they are using is authorized or not.
  • How users are interacting with that information once accessed; viewing, sharing, emailing out, commenting, editing, downloading.

In Response: Your Approach to Secure Research Management

You could batten down the hatches, switch on surveillance, and lock down access with layers of costly, complex security products. However, neither your analysts nor the SEC will thank you for it. The more productive and cost-effective way to meet the new demands is with a modern RMS.

An informal approach to research management – funds still ‘making do’ by knitting together a patchwork of tools and a”Bring Your Own” consumer software for their research needs – is no longer viable. In reality, the robust access controls, fund-wide visibility, accurate recording and monitoring capabilities of a modern RMS are no longer “nice to haves”, but now critical components to help demonstrate your cybersecurity preparedness. A modern RMS provides:

  • An integrated data repository to create, store and access information fund-wide.
  • Customizable access policies, authentication and authorization controls.
  • Continuous monitoring of all user activity relating to stored data assets.
  • An accurate, complete audit trail of every action taken within the platform.
  • Granular configuration and control to disable or restrict features per user.
  • On-demand data retrieval, custom reporting and behavioral analytics.
  • Proactive monitoring reports on all recorded activity.
  • Alerts and notifications for tracked behavior such as failed log-in attempts and unauthorized access.

At Bipsync our tightly-integrated productivity environment, centralized research repository and powerful automation engine provides ongoing monitoring and in-depth insight into user access, behavior and activity to help meet key areas of the new examination criteria, enabling you to:

  • Centralize your data assets: All your research notes, updates, ideas and assets in one place; findable, searchable and trackable.
  • Remove unauthorized silos: An integrated productivity environment eliminates the need for separate note-taking tools or supplementary mobile productivity apps, enabling end to end data capture of all analyst activity.
  • Ensure user adoption: Users live on the system; work from it and seamlessly integrate workflows with it, which enables the most complete audit trail of activity.
  • Proactively monitor user access and activity: Automatic versioning, logging and archiving captures all user behavior pertaining to data assets.
  • Turn recorded information into intelligence: Custom reports and analysis extract meaningful data for your compliance and security posture and SEC reporting needs.

By implementing a modern RMS, like Bipsync, funds find they can quickly begin to cost-effectively address new cybersecurity compliance requirements for access rights and data loss prevention.

The Bottom Line

The SEC has shared its focus areas and provided detailed guidance for internal review and action to ensure you are prepared for, and focused on, cybersecurity needs. Ultimately, there can be no security without visibility and funds can no longer afford to take an informal or siloed approach to research management or access controls.

And yes, we all know by now that neither the risks, rules or regulatory actions are going to abate anytime soon. It can be an expensive endeavor on many fronts; a report released in July this year saw the average price tag of $7.91 million per breach in the US; it was also recently announced that Voya Financial Advisors must pay $1 million to the SEC following a cybersecurity breach in April; and for the first time the “red flag identify theft rule” was used, charging for violation of the safeguards rule for failure to protect customer records and information. The indications are clear: regulators will not be light-handed on non-compliant firms.

However, there continues to be plenty of guidance out there to support your compliance program and implementation. In October last year we saw the OCIE release results from it’s cybersecurity examinations, with recommendations. For example, they identified shortcomings for established and enforced controls to access data and systems, and observed Regulation S-P-related issues re: not adequately conducting system maintenance to address security vulnerabilities and other operational safeguards to protect customer records and information, to name just two areas for focus.

And to bring it back up to present day, in February  2018 we had the  SEC’s Examination Priorities of the OCIE for this year. As expected, the six cybersecurity focus areas remained high on the agenda. So, if you’re still looking for a compliant research foundation for today’s requirements or for best practice on how to safeguard your future cybersecurity needs, get in touch to learn more about how Bipsync can help.