January was a big month for the SEC OCIE, releasing both their 2020 Examination Priorities and their even beefier Observations on Cybersecurity and Resiliency Practices. After reading between the lines against a backdrop of trends we see among our clients, here’s what you need to know.
The 2020 Examination Priorities haven’t changed. What has changed is the fact that the SEC examiners are getting smarter. They’re leveraging top talent with cybersecurity expertise from the Technology Control Program (TCP) group and encouraging aggressive training and certification for existing examiners. That means the tests just got harder because your teachers are coming from equivalent of Harvard.
What does this mean in execution? It means examiners are looking for documentation, i.e. your paper trail. Just because Microsoft or Bloomberg don’t respond to you regarding your DDQ, doesn’t mean you don’t make the effort and document whatever results you can uncover. I cannot stress enough, documentation is your friend.
It also means examiners understand the human factor when it comes to successful cybersecurity. Without a cyber-culture, there is no execution and no enforcement. Examiners will be looking for evidence that firms are empowering CTOs and CCOs with the people, processes, and technology to execute a cyber-strategy in alignment with the SEC OCIE’s six areas of regulatory focus (below). Buy-in from the top means buy-in from everyone.
Six Areas of Focus
- Governance & Risk Management
- Access Controls
- Data Loss Prevention
- Vendor Management
- Incident Response & Resiliency
OBSERVATIONS ON CYBERSECURITY & RESILIENCY
Let’s start with how Agio interprets resiliency, given this is relatively new language from the SEC as it relates to their cybersecurity releases. Agio’s definition of operational resiliency is the ability to sustain core business operations during a period of friction; friction being an event caused by an insider threat, external threat actor, or failure of people, process and technology. Now that we’ve level set terminology, on to what matters within SEC OCIE’s observations.
Governance & Risk Management
This comes back to buy-in from the top. Having served as vCISO for hedge funds, private equity and asset managers for years now, I can tell you effective governance and risk management doesn’t happen unless there’s buy-in from the top. Without C-Suite buy-in, you can’t perform a risk assessment to find out where you’re at, and you can’t update or implement strong policies and procedures that will make a difference, and you certainly can’t test and monitor to see if those policies and procedures are actually being followed. All of which are elements the SEC categorizes under governance and risk management. The fish rots from the head, as they say.
Access Rights & Controls
This one many firms struggle with; specifically, configuring, managing and monitoring user access to firm systems, applications and data, on-premises and in the cloud. Why? Because to do this well requires data classification. Understanding the sensitivity and operational criticality of your firm’s data, the systems that store, process, and transmit it, and where that data resides inside and outside of the firm is a tall order. But without this knowledge, you can’t identify who should have access to it, by what means, and how that access should be managed and monitored on an ongoing basis. Unfortunately, most CTOs and COOs don’t fully grasp the breadth of access or extent of exposure to certain types of data. Add to this the complexities of data stored in the cloud, at various third parties, or accessed by entities outside of the firm, and data classification becomes very difficult. PS – Agio can help with that.
Data Loss Prevention (DLP)
DLP probably saw the biggest shift in 2020 as it relates to how the SEC OCIE defines and categorizes it. Specifically, DLP has now expanded from the traditional narrow definition of DLP tools to include vulnerability management, inventories of hardware and software, as well as patch management. Network segmentation, one of the most complex security measures and therefore usually the last to get implemented, is also now under the DLP prevention measure. In fact, DLP is now the broadest category in the current observations with eight control areas to protect data and systems and detect malicious outsiders and insiders. When I talk to CTOs, I usually hear that DLP is a behemoth – something they execute after all of the low hanging fruit has been addressed. This is where we can help. Agio’s SEC Cybersecurity Governance Program breaks down the eight control areas against the landscape of your firm’s unique risks to prioritize and then help execute.
We see a trend of organizations supporting a BYOD policy and an increasingly porous boundary of personal and professional computing. Users need to be educated and made aware that a personal device used for business purposes becomes a business asset and subject to seizure in the event of a cyber incident. We recommend firms provide an alternative to BYOD. At the very least, a Mobile Device Management (MDM) solution and consumer grade password management, such as LastPass, provided by the organization to use at home.
NOTE: We view this as the seventh area of focus because this is the first time we’ve seen the SEC OCIE break out Mobile Security into its own category.
Incident Response & Resiliency
Like patching and vulnerability scanning, Incident Response must be closely integrated with continuous security monitoring. This is critical. If your Managed Detection & Response solution or Managed Security Service Provider (MSSP) doesn’t bundle incident response services with monitoring, then have a conversation to make a change. Why? Because you want detection and response under one roof, working hand and hand.
Then, when it comes to the actual execution of practicing your incident response plan, executive level tabletop exercises are extremely valuable, but firms also need to start exercising small scale incident response exercises on a continuous – even daily – basis. Doing so ensures all parties in an organization, from the top to the front lines, are both aware of what to do and have the muscle memory for rapid response to unscheduled high-pressure situations. Train like you’re going to fight, or as we say in the Marines, the more you sweat in peace, the less you bleed in war.
Firms and their portfolio companies are only as secure as all vendors and third parties with access to sensitive data. Despite the overwhelming challenges firms feel when it comes to starting a vendor management program, the SEC recognizes solutions like Agio’s Vendor Cybersecurity Risk Program that assesses, ranks and reports on vendors based on questionnaires, commonly-accepted certifications, and maybe most importantly, our subjective vCISO experience. Vendors can then be monitored year-over-year to make sure they’re staying on top of their security, and if not, clients make the decision whether or not to pursue an “out with the old, in with the new” strategy to reduce their overall risk profile.
Training & Awareness
Agio’s Incident Response team almost exclusively deals with incidents triggered by an employee doing something wrong. Anecdotal evidence to support tons of research that states, your end users are your weakest link. Training needs to be more than an occasional phishing test. We recommend providing consumable nuggets on a host of topics:
- Browser usage
- PW management
- Suspicious activity
- SMiShing (SMS phishing)
- Responding to an incident
This might seem like a lot, but not if you have the right partner. The right cybersecurity partner is going to help you evaluate each of these areas of focus and advise you on what to prioritize first, what you can leave off for later, and agnostically offer solutions and technology for any gaps. We would love to help. Let’s get the conversation started.