When You Look And Find That You Are The Problem

Cybersecurity is hard. It’s nearly impossible to stop an attack. If someone really wants in, they can continue to attack and attack until they find a gap. It’s hard to know that you have been breached until well after the breach. It may be just as hard to figure out what was accessed and what damage has been done. It’s hard to know what the right response should be.

Of course, I could be talking about the enormous Equifax breach. But this time it’s the Securities and Exchange Commission.

“Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. … Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.”

SEC Chair Clayton noted that the breach did not “result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”

If that is the standard for cybersecurity, then that is what the SEC should also use in its enforcement against investment advisers and broker/dealers. Instead we have cases like the one against R.T. Jones where there was no resulting losses to its clients, only the potential loss of data.

As is typical with a company with bad news, it buries the bad news in a pile of other disclosures. The SEC did the same thing. It spent one paragraph revealing the breach in an eight-page statement chiding the industry to be better about cybersecurity and touting its own initiatives.

The SEC’s statement, like Equifax’s revelation, did not explain why there was a such a lengthy delay between the announcement and the discovery of the breach.

The likely result of the breach is that the hackers were able to access EDGAR filings before the general public and trade on that information before the general public.

Sources:

The SEC’s Cybersecurity Smackdown

Last week the Securities and Exchange Commission issued a new risk alert on cybersecurity and this week the SEC announced a new action for a cybersecurity breach. The action is just as bad as I thought it could be. It also shows that the SEC is misplaced in being a cybersecurity enforcer.

6870002408_abf6b5b6a8_z

R.T. Jones Capital Equities is a registered investment adviser with about 8400 clients. The firm discovered a breach in July 2013. According to the SEC order, the firm hired at least two cybersecurity firms to assess the breach. Neither cybersecurity firm could determine if Personally Identifiable Information was accessed or compromised during the breach.

According to the order, R.T. Jones has not learned that the breach resulted in any losses to its clients or that their accounts have been compromised. There is only the potential loss of data.

Even with no financial harm, the SEC decided to bring an action.

The cybersecurity firms did discover that the attack was based in mainland China and launched from multiple IP addresses. At every conference that I hear about cybersecurity, an expert will always point out that you cannot prevent an attack and an eventual breach. If there is concerted effort from a sponsored group, the hackers will find a way in.

The SEC cited its “safeguards rule”: Rule 30(a) of Regulation S-P (17 C.F.R.§248.30(a)) as the basis for the action.  According to a story by Nicholas Donato in Private Funds Management only in two other instances has the SEC cited this rule in enforcement action: PL Financial Corporation in 2008 and stock trading firm Commonwealth Equity in 2009.

The SEC also goes on to cite that the R.T. Jones compromised server had non-client PII on it. I’m not sure that Safeguards Rule applies to non-customer information.

In the end, R.T. Jones was cited for failing to adopt written policies and procedures reasonably designed to safeguard customer information.  For example, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.

The SEC also fails to establish that adoption of those written policies and procedures would have prevented the breach. But even a non-computer expert like me thinks it was poor effort on the part of R.T. Jones for not having a firewall when there is PII on a public facing webserver. Perhaps the firm’s failing was egregious. The SEC does not state so.

The SEC does state that R.T. Jones had no written policies and procedures for PII. They were not inadequate. They just did not exist. That is one big takeaway from the action. Firms need to at least try to prevent the loss of PII and have the written policies and procedures to try and prevent a breach.

Sources:

Cybersecurity Exams Part II: More Governance

Last year, the Securities and Exchange Commission raised a cloud of concern when it started its cybersecurity initiative aimed at broker/dealers, investment advisers and fund managers. Based on an interview in April it seems that initiative would continue into a phase 2. The SEC recently released its OCIE’s 2015 Cybersecurity Examination Initiative.

6870002408_abf6b5b6a8_z

According to the Risk Alert, the exams will focus on six areas:

  1. Governance and Risk Assessment
  2. Access Rights and Controls
  3. Data Loss Prevention
  4. Vendor Management
  5. Training
  6. Incident Response

As with Part I, the Risk Alert has a sample document request letter.

I will once again criticize the SEC’s approach to Cybersecurity.

Not because cybersecurity is not important. It is very important and a risk for all firms.

I criticize because the SEC has push cybersecurity as an anti-fraud requirement. SEC is saying that a failure to adequately address cybersecurity is effectively committing fraud on your investors. The big problem is that breaches cannot be prevented. We have seen that a dedicated hacker can get into any system given enough time. Cyber initiatives can only deter hacks. Once you are hacked, you’re not only facing the problems directly from the hack, but also the looming slap from the SEC that you defrauded your investors.

On top of that, the SEC is mostly accountants and lawyers and the compliance world is mostly accountants and lawyers. Cyber requires IT personnel. I suspect many SEC compliance personnel will stare at some of the items on the request letter and have little idea what the SEC is asking for.

Hand the request to your IT department and see what they can do with it.

Sources:

Anonymous Hacker by Brian Klug
CC BY SA

SEC Issues Cybersecurity Guidance

hacker

Last year, the SEC raised a cloud of concern when it started its cybersecurity initiative aimed at broker/dealers, investment advisers and fund managers. Based on an interview last month it seems that initiative would continue into a phase 2. The SEC recently released its Cybersecurity Guidance that enunciates some steps investment advisers and fund managers can take to improve their ability to repel cyber threats.

1. Conduct a periodic assessment.

2. Create a strategy to prevent, detect and respond to cybersecurity threats.

3. Implement the strategy.

Of course, cybersecurity is important and all advisers and fund managers should take it seriously.

I do get hung up on the SEC’s statement that a firm’s initiative should be part of a compliance initiative “reasonable designed to prevent violations of the federal securities law.” I think the SEC is stretching the anti-fraud provisions of Section 206 beyond where they should go.

As the guidance point out, it is not possible to anticipate and prevent every cyber attack. If a bad actor wants to attack your systems, the bad actor can eventually get into your systems. Is that breach a compliance failure or not? The SEC’s guidance is setting complex security protocols as a legal compliance issue.

I’m skeptical that there are many people in the SEC’s IM division who understand cybersecurity protocols. I’m just as skeptical that there are many adviser/fund manager CCOs who understand cybersecurity protocols. But the SEC is insisting that cybersecurity protocols fall under the aegis of the the Section 206 anti-fraud provisions.

Sources:

Hacker by Dani Latore
CC BY SA
https://www.flickr.com/photos/dlato/6437570877/

For those of you getting this by email, you should see a slightly different look. I changed providers. Let me know if you encounter any problems.

 

Cybersecurity Sweep Phase 2

ia watch ia week

According to a story in IA Watch, advisers should expect a second phase of the SEC’s look at cybersecurity. In an interview with IA Watch on March 9, Jane Jarcho, OCIE’s national associate director of the Investment Adviser/Investment Company exam program, described the current thinking behind its “phase 2” initiative around cybersecurity.

According to the story, OCIE plans to put out a sample document request letter or a list of focus areas for phase 2 using a risk alert, just as it did for phase 1. It sounds like phase 2 is still in the planning stages, but it’s likely to begin this summer.

Sources:

What Ever Happened to the SEC’s Cybersecurity Sweep?

univac

The Securities and Exchange Commission put the financial sector in a tizzy when it announced a sweep exam addressing cybersecurity last April. Along with the announcement came a detailed document request list that would make most compliance officers’ heads spin.

The problem with the cybersecurity sweep is that it seems to be coming from the wrong people and is addressed to the wrong people. When I think of the Securities and Exchange Commission I don’t think of hacking and data security. I think of lawyers and accountants. When I think of financial services compliance officers, I also think of lawyers and accountants.

Maybe that is overly specific. But I don’t think of cybersecurity experts in either case.

It’s not that cybersecurity is not important to the industry. It’s very important. Clients must have faith that their investments will not be stolen. Historically, the role of the SEC has been to make sure the financial professional is not stealing from its clients. Cybersecurity imposes a requirement that unknown hackers are not stealing from the financial professional’s clients.

The cybersecurity sweep went to 57 registered broker dealers and 49 registered investment advisers and looked at the legal, regulatory, and compliance issues.

The SEC’s Risk Alert on Cybersecurity details the findings.

I’m going to guess that that each bullet point is now a new standard that a firm will need to meet. The alert does not say so, but I’m going to use it as a blueprint for an additional review of cybersecurity.

Sources:

Weekend Reading: Countdown to Zero Day

coutdown to zero dayWe were in a cyber war with Iran. Kim Zetter unravels the story of Stuxnet, the US computer attack on Iran’s nuclear program in Countdown to Zero Day.

A few months ago, I read A Time to Attack urging a US military attack on Iran. That book highlighted how Iran had been building a nuclear program for several years. That included several years of centrifuges spinning to extract enriched uranium.

It has taken so long to extract uranium because, according to Zetter, the United States has been running a sophisticated attack on the computer systems that run those centrifuges. The United States and Israel planted sophisticated tools on those computers designed to alter the speeds of the centrifuges and the flow of gas into and out of them.

We have entered an age where warfare can been broken into digital attacks and kinetic attacks. Computer geeks and fighter jocks can both engage with the enemy. Stuxnet was a replacement for dropping bombs on the enrichment facilities.

Zero day refers to an attack using a previously unknown computer security vulnerability. One attack detailed in Countdown to Zero Day used a “god-mode exploit” that was even more potent. For anyone involved in cybersecurity, the book may make you want to curl up in a ball and hide in the corner.

The book is well-written and well-researched. It’s always great to grab a book like this that is enjoyable to read and able to explain complicated situations.

There is a compliance and ethics side to the book and the story of stuxnet. The US government has been touting the importance of securing critical infrastructure. The Securities and Exchange Commission has firing a warning that it takes cybersecurity very seriously. But according to Zetter, the government also has a stockpile of cyber weapons designed to attack those systems. Late in the book it raises the issue of whether cyber attacks should be treated as an act of war. Should Iran be able to retaliate with conventional weapons to protect itself from cyber attacks?

The publisher kindly sent me an advance reader copy of the book in hopes of me writing a review. Countdown to Zero Day goes on sale on November 11.

Cybersecurity and Private Funds

hacker

The Securities and Exchange Commission has off-an-on expressed concerns about cybersecurity for broker-dealers and registered investment advisers. Now it’s officially concerned. The SEC’s Office of Compliance Inspections and Examinations has announced a new cybersecurity initiative. The Risk Alert follows the announcement of a technology element in OCIE’s 2014 examination priorities and the SEC’s March 26, 2014 Cybersecurity Roundtable.

As part of the initiative, OCIE will conduct cybersecurity examinations of registered investment advisers. These examinations will be conducted as a ”sweep exam” to assess cybersecurity risks. The Risk Alert states the sweep will be of more than 50 registered broker-dealer and registered investment advisers.

In anticipation of the sweep exams, the SEC included a sample request list for the Identification of Risks/Cybersecurity Governance.

I would anticipate that the sweep exam will be targeted at the big BDs and retail investment adviser shops and not be focused on private fund managers. However, I plan to sit down and go through the sample letter to make sure I can answer all of the questions.

References:

Hacker is by Dani Latore
CC BY SA