The Cyber Threat from Within: SEC Examines Insider Threat Monitoring
In the 2021 Examination Priorities issued by the SEC Division of Examinations, Information Security and Operational resiliency were among the areas of focus. The SEC has elevated concerns about information security and resiliency because of the increase in remote operations due to COVID-19.
“The Division will also review whether registrants have taken appropriate measures to safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access; oversee vendors and service providers; address malicious email activities, such as phishing or account intrusions; respond to incidents, including those related to ransomware attacks; and manage operational risk as a result of dispersed employees in a work-from-home environment.”1
A recent SEC examination of an investment adviser concentrated on the protection of customer records and information, network administration and security, and data loss/ leakage protection with a focus on insider threats monitoring.
During the examination, numerous documents and policies, and procedures were requested regarding the measures in place to safeguard customer records and information from insider threats. The four major areas reviewed included:
Safeguarding of customer records and information – Policies and procedures related to how customer information is being accessed and stored (regardless of where the employees may be working), access controls, data classification, and staff training concerning protection of customer records, and information from insider threats. And the details on the firm’s insider threat program.
Third Parties – Selection, oversight, and monitoring of third parties with access to customer information, including vetting procedures and due diligence reviews, vendor agreements, contracts, supervision, tracking, access control of vendors, review of third party and external communications and file sharing, and risk assessments conducted by or on the firm’s third-party vendors.
Network Administration & Security – Policies and procedures including information on the patching of devices, patch remediation plan, strategy, and monitoring and reporting. Remote access implementation, usage, and restrictions. Vulnerability management, the scope of vulnerability assessments, scans, and tools, and the results of assessment/scans of network devices.
Data Loss/Leakage Prevention – Policies and procedures about data loss/leakage prevention including access control, acceptable use, media protection, asset monitoring and tracking, monitoring for any unauthorized distribution of sensitive information, system and communication protection, protection of data at rest, in transit and system and information integrity. Media classification and sanitization. Documentation of behavior rules for users including notifications of appropriate usage, obligations when logging in. Incident reports of unauthorized distributions or disclosures of data that have occurred. Risk assessments related to data loss/leakage prevention.
Registered investment advisers will need to be prepared to respond to inquiries and information requests from regulators concerning their measures to safeguard accounts, oversee vendors, address malicious email activities, and manage operational risks associated with employees in work-from-home environments.
In a report on Observations of Cybersecurity and Resiliency Practices published in January 2020,2 the SEC noted specific examples of cybersecurity and operational resiliency practices and controls that organizations have taken to potentially safeguard against threats and respond in the event of an incident. Noted here are their comments on Insider Threat Monitoring, firms should discuss this information and determine if they have the appropriate policies and procedures in place to meet the expectations of the regulators, and if not, take the steps necessary to implement the recommended measures.
“Insider Threat Monitoring. Creating an insider threat program to identify suspicious behaviors, including escalating issues to senior leadership as appropriate. Increasing the depth and frequency of testing of business systems and conducting penetration tests. Creating rules to identify and block the transmission of sensitive data (e.g., account numbers, social security numbers, trade information, and source code) from leaving the organization. Tracking corrective actions in response to findings from testing and monitoring, material changes to business operations or technology, and any other significant events.”3
How can Alaric help?
With over 275 years of cumulative financial services compliance expertise, we have managed over 100 regulatory examinations while serving as chief compliance officers. Leveraging this experience, our team of former regulators, lawyers, and in-house chief compliance officers can help your firm be audit ready.
Call Alaric today to learn more about our cybersecurity services, at 1-888-243-2448 or firstname.lastname@example.org or visit our website, at www.alariccompliance.com.
1 2021 Examination Priorities Division of Examinations, March 3, 2021.
2 Observations of Cybersecurity and Resiliency Practices, January 2020.