In response to existing and emerging security risks to your customers’ records, you should implement, maintain and evidence three enhanced practices within your internal technology environment. Furthermore, you should demand the same from your critical third-party vendors.
Registered investment advisors (RIAs) and broker-dealers face advanced, persistent cyber threats. As incidents continue to escalate, firms and regulators have prioritized cybersecurity resilience. Recently, the Security and Exchange Commission’s Office of Compliance Inspections and Examinations (SEC OCIE) published an alert that outlined concerns and recommendations to ameliorate risks inherent in network storage of customer records. The alert covered the broad environment where customer data lives—across internal firm and external-hosted service provider systems (including cloud-based storage). These network storage concerns include:
- Misconfigured internal solutions: The OCIE highlighted the risk of absent or weak policies and procedures related to the initial and ongoing security configuration of internal network devices.
- Inadequate oversight of vendor-provided solutions: OCIE concern extended to the lack of oversight or weak enforcement of contractual requirements by firms over their critical third-party service providers.
- Insufficient data classification policies and procedures: Unfortunately, select firms did not demonstrate mature data classification practices. This deficiency makes it difficult for firm and vendor technology teams to identify and protect systems requiring enhanced vigilance.
Beyond Baseline Practices
In response to the above observations, the OCIE cited examples of effective practices. These practices include implementing policies and procedures covering the configuration of security standards (e.g., password protection, encryption, etc.) of network devices—whether internal to the firm or external to a service provider. The OCIE also recommended governance over the implementation of software patches and hardware updates. While these observations are all effective practices, they should be considered baselines.
We believe firms should expect more from their internal teams and demand more from their trusted partner vendors. Keep in mind:
1) Trust but verify. To show compliance, good vendors provide details upon request. Great vendors proactively seek to offer ongoing evidence to provide preemptive assurance that firm policies and procedures are followed. Furthermore, given their scale, critical vendors should provide thought leadership and guidance from what they are observing across the industry to help enhance their clients’ internal firm policies and procedures.
2) Functionality is also critical. While defensive configuration of network storage devices is critically important, it is only part of providing a great customer experience. Network storage configuration sits at the fundamental intersection of how firms bring their people and processes together to service their customers. Misconfigured devices, poor ongoing management, and the misuse of network devices to temporarily cover-over application code shortcomings can lead to needless complexity and operational outages. Robust change management processes across internal and external devices is absolute. Critical vendors should provide documentation that these processes are in place across shared production and disaster recovery environments.
3) Practice makes perfect. Not only do your regulators, board, shareholders and customers expect you to plan and prepare, they also expect you to execute, assess and demonstrate your capability to safeguard customer data and minimize operational disruptions. We recommend you combine preemptive configuration management best practices with a broader, realistic exercise program that stress tests your business continuity, disaster recovery and cyber resilience. This program should include actively exercising with your critical vendors across the shared ecosystem where your customers’ records transit and are stored.
Bringing It All Together
Rightfully, the SEC OCIE is concerned about the risks inherent in poor internal and vendor network storage device configuration. Certainly, we recommend following their examples of effective practices; however, we endorse firms moving beyond simply configuring storage devices to a full-spectrum risk management program.
As you look to demonstrate effective cyber resilience learn more about how you can meet this key OCIE priority for 2019 and see how SS&C can help you safeguard records while providing a great customer experience.
Written by Blair Williams
VP, Enterprise Risk and Crisis Management