The modern threat landscape is virtually boundless today as cyber attacks target every aspect of the network and almost every device attached to it. It’s a constant struggle to keep data secure in light of the twin concerns of technically skilled criminals and the attractiveness of financial data. Understandably, the SEC (News - Alert), FINRA and other organizations have created initiatives to shepherd the financial services industry. These initiatives aim to provide guidance on data safety, and reiterate to account organizations that experienced breaches occur due to lack of preparation.
Mary Jo White, Chair of the SEC, said, “Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks.” The SEC’s Office of Compliance Inspections and Examinations (OCIE) has put the Cybersecurity Examination Initiative in place, which outlines a series of examinations they look for within organizations “to promote better compliance practices and inform the Commission’s understanding of cybersecurity preparedness.”
How can cybersecurity solutions help financial services organizations meet requirements and stay compliant? Let’s take a closer look at some of the examinations mentioned above to get a better understanding.
Access Rights and Controls
The examiner’s perspective: “Firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes. Examiners may review how firms control access to various systems and data via management of user credentials, authentication and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.”
The cybersecurity solutions perspective: A leading cause of breaches is the compromise of static passwords. Today’s cybersecurity solutions must enable such things as two-factor authentication for accessing protected networks, ensure that access points are properly secured, appropriately segment traffic once it has been authenticated and is within the corporate network, and constantly monitor traffic and devices to detect changes in behavior. Secured network access needs to span the entire infrastructure, including cloud environments, and should also include single-sign on, captive portal authentication, device onboarding and social login options.
Governance and Risk Assessment
The examiner’s perspective: “Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below. Examiners also may assess whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business. Examiners also may review the level of communication to, and involvement of, senior management and boards of directors.”
The cybersecurity solutions perspective: With the right cybersecurity solution, organizations can analyze network traffic and identify areas of actual or potential compromise. Doing this across hundreds of devices and users allows enterprises to compile a comprehensive report of indicators of compromise. This information can provide insight into vulnerabilities and the current threat landscape, and allow organizations to establish a blueprint for reducing attacks.
Data Loss Prevention
The examiner’s perspective: “Some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration. Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners also may assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.”
The cybersecurity solutions perspective: As a part of the larger cybersecurity ecosystem, Data loss prevention (DLP) solutions primarily monitor internal network data (rather than threats from outside sources). DLP’s effectiveness is rooted in its ability to identify documents that house sensitive data and block them from leaving the network. DLPs archive a record of the content that matches their rules, which is then used to identify future leakage risks.
The examiner’s perspective: “Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities and developed plans to address possible future events. This includes determining which firm data, assets and services warrant the most protection to help prevent attacks from causing significant harm.”
The cybersecurity solutions perspective: There are many advanced threat protection (ATP (News - Alert)) solutions available; they operate by preventing (blocking known threats), detecting (uncovering previously unknown threats), and mitigating threats (stopping them and then applying rules across all layers). While there is no way to stop every threat, financial services organizations need to adopt solutions that will help them keep pace with the complex and adaptive threats of today.
The examiner’s perspective: “Without proper training, employees and vendors may put a firm’s data at risk. Examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior. Examiners also may review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.”
The cybersecurity solutions perspective: Though cybersecurity solutions can help reduce threats, they can’t eliminate employee negligence. IT security teams in financial services need to put training programs in place to educate the workforce on the latest threats and organizational procedures. Organizations that use cybersecurity solutions should also educate their workforce on how to use them. Many cybersecurity providers offer training and assessments to get customers, partners and employees up to speed.
Cybersecurity’s Two-pronged Approach
Today’s cyber threat landscape calls for diligent security measures, particularly for in-demand financial data. The SEC and other regulatory bodies have created initiatives to help organizations safeguard that data and call out those who do not meet compliance requirements. In this battle against highly skilled and motivated criminals, knowledge is power. Understanding industry rules and best practices, coupled with cybersecurity solutions to meet those standards, will help financial services organizations avoid the fines and reputation damage associated with a data breach.
About the Author
Bill Hogan leads strategic accounts and global financial services at Fortinet (News - Alert), where he is responsible for sales, systems engineering and business development. He formerly served as president of WebHouse, where he enabled customer success through the effective use of IT and business solutions. From 2003 to 2014, Hogan led NetApp’s Americas East and America's Enterprise Sales and Business Operations. He started his career at EMC (News - Alert) where he spent 10 years in various sales and leadership roles. Bill is a father of five and avid philanthropist.