OCIE 2020 Cyber Observations Amid COVID-19

The COVID-19 outbreak has had ramifications across all aspects of society globally. In asset management, never before has such a vast proportion of its workforce been forced to operate remotely from the confines of their own homes. This remarkable exodus from the office has spurred new remote communication technologies and work tools at an unprecedented rate – not to mention the shift occurred at a period of prolonged market volatility and general uncertainty. The downside, of course, is that this the exact type of environment where cyber criminals and scammers usually look to actively exploit weaknesses.  As such, it has never been more important for global asset managers to place cybersecurity at the very center of their operational resiliency plans. But what do fund managers, board of directors and other top asset management executives really need to know about cybersecurity? It’s a common question and getting the answer right has never more relevant as we continue to live in a COVID-19 dominated world. 

Fortunately, the Securities and Exchange Commission’s (SEC) Office of Compliance and Examinations (OCIE) has stepped forward by producing a handy guide, Cybersecurity and Resiliency Observations, that summarizes the best cybersecurity practices for asset managers. While much of the paper might be considered Cybersecurity 101, it provides a comprehensive overview for top executives who don’t spend the majority of their time focused on the topic. Here is a brief summary of what to look for:

1. Governance and risk management. Because no organization, no matter how large, can afford to address each and every cyber risk out there, it’s critical to develop a risk management strategy. Instead of just talking with top executives about cybersecurity as a nebulous problem, a risk assessment allows senior executives to know where their firm’s cyber weakness are and how to mitigate them. It also allows the firm to quantify their investments in cybersecurity by showing how it reduces risk.

2. Access rights and controls. The risks associated with access remain a top priority for most financial firms. It means insuring that employees only have access to data they need access to in order to carry out their job functions and no more. Viewed another way, they shouldn’t be able to conduct operations such as trading, for example, when they have an administrative function. If a low-level employee clicks on a link that is actually a spear fishing attack, a system that is centrally managed to ensure there are no gaps will limit the degree of compromise.

Another aspect of access concerns employees with so-called privileged access, who are able to make changes to systems and applications. A major new risk for firms is that a privileged access insider goes rogue or their credentials become compromised. The only way to detect such a compromise is to have active monitoring tools and technology in place that will send an immediate alert to the appropriate cybersecurity teams when such things as configuration changes are made. These monitoring tools and capabilities are exceptionally useful during this unprecedented BCP period where much of the workforce is working remotely. 

3. Data loss prevention. These measures are aimed at reducing the possibility of data being surreptitiously moved out of the firm. A major focus is patch management, meaning that as soon as operating system patches are released, organizations should have in place a fast-paced, well-defined plan to install them. The US Government Accountability Office said in a report on the infamous hack at Equifax, a credit monitoring firm, that one of the main vulnerabilities was that the company failed to install a necessary security patch.  Previously, organizations often times made the decision to delay important patches due to the fear of business impact.  However, in the current cybersecurity environment the risk of leaving an unpatched hole in your systems may greatly outweigh the risk of potential business impact from installing them incrementally. 

4. Mobile security. This is an area of increasing concern, especially when employees are working from home or other locations. There has been a sharp increase in malware aimed at mobile devices. Companies need to reinforce with their employees the importance of knowing what is allowed and what isn’t permitted on mobile devices. For those firms that allow employees to use their own devices, companies need to utilize sandbox technology and virtual private networks,an encrypted channel that ties back to the organization’s network.

5. Incident response and resiliency. Companies need to have a plan in place for a cybersecurity breach, they then need to test the plan in real time to simulate core systems and applications going offline, and they need to develop after-action reports about the tests that provide a roadmap for remediate the problems found in the tests. One aspect — often the most important — is to make sure that there is a communications plan in place so that the appropriate people who know what to do will be contacted immediately. Core applications should be directly linked to your risk management program, and applications ranked by their risk. Another key aspect is to make sure there are redundant backups of data that are kept in places disconnected from your primary systems.

6. Vendor management. Third-party assessment is a major concern for cybersecurity specialists. The old adage that you are only as strong as your weakest link applies here. While the SEC requires that firms only require vendors to fill out a questionnaire, this is not really sufficient. Firms need to conduct a business technology review on vendors, making sure that they maintain the same level of security control maturity as your firm does. It often helps to connect vendor management with your firm’s Enterprise Risk Management department to take a risk based approach to vendor management, and not purely a compliance perspective.

7. Training and awareness. This is often overlooked, but training is by far the lowest cost item in a company’s cybersecurity arsenal. Yet, it delivers the biggest bang for the buck in reducing breaches.  This is especially true throughout this BCP environment where employees may react more emotionally to compelling emails that purport to contain important information relative to COVD-19 or your organizations new policies relative to working from home. Training is not just about spending time on a computer training course, but actually having cybersecurity personnel sit down with employees face-to-face and explain vulnerabilities and the dangers of letting down your guard both at home, and in the workplace.  Curated training for different levels of the organization can ensure relevancy of the information passed.

Bottom line

The evolving COVID-19 crisis poses a profound set of challenges for all regulated financial service providers, high amongst the considerations (especially with a majority of staff working remotely) is cyber security. The mix of high levels of market volatility, reconfigured working arrangements, and heightened threat levels mean asset management must prioritize protection of their cyber perimeter with the OCIE advisory useful in framing approach. As uncertainty abounds, what is clear is that the effects of COVID-19 will continue to shape the asset management industry for the foreseeable future. We will continue to provide updates here as new developments emerge.

This article was contributed by Ben Dulieu, Vice President, Enterprise Risk Management — Cyber and Technology.