Office of Compliance Inspections and Examinations (OCIE) Priorities for 2017

Cybersecurity is a Priority for the SEC

CyberSecurity Checklist

Has your compliance software been tested for cybersecurity vulnerabilities? Really? Prove it. BasisCode can.

BasisCode recently spoke about cybersecurity with Michael Brice of BW Cyber Services, a member of the BasisCode Advisory Committee. We discussed cybersecurity and how it affects BasisCode, clients, and the industry.

 

Today's topic focuses on the following:

  • Internet cybersecurity
  • The SEC’s focus in 2017 on cybersecurity and the critical risks associated with 3rd party software
  • The vital role of Penetration Testing (PenTesting) and how it helps to address the risk associated with 3rd party software

Mr Brice stated cybersecurity is one of the top SEC priorities for 2017; and moreover, it is also considered a market-wide risk that is significantly disrupting industry operations. Most notably – he referenced recent cybersecurity statistics indicating approximately one in four registrants will suffer a cybersecurity breach.

With these two key risks in mind (regulatory oversight and operational disruption), it is clear that having a cybersecurity program is no longer an option- it is now a critical business requirement. And a key component of your cybersecurity program should include Penetration Testing – also known as PenTesting. PenTesting is the act of having an external vendor test your applications for possible inside and outside security threats. Not only is it important for you to ensure your software is secure, it is an SEC requirement for all 3rd party vendors (to include critical 3rd party software solutions – especially cloud based solutions) to be evaluated for cybersecurity risks.

So, if the software you use has not been PenTested, you should be worried. As evidenced by the SEC’s regulatory action with RT Jones, if your vendor or vendor provided software results in the loss of customer data (e.g., Personally Identifiable Information aka PII), you will be held responsible.

Michael pointed out a statement from the Office of Compliance and Inspections and Examinations, 2017 Examination Policies, Section: Assessing Market-Wide Risks, highlight 6.

"In 2017, we will continue our initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls." OCIE

Michael also pointed out, that in his experience, many organization assume their vendors have taken appropriate measures to test and secure their solutions. Unfortunately, nothing could be further from the truth. Surprisingly, many vendors are completely oblivious to some of the most common security issues inherent in their software that could adversely affect their clients, and more importantly, their clients’ customers. That’s why the SEC requires all registrants to be responsible for their vendors’ security and the security inherent within the solutions those vendors provide. This is especially important if the vendor solution is a cloud-based application that is potentially accessible to the world. As such, it is critical to expect and ensure any 3rd party software you utilize has been thoroughly PenTested. It is because of this critical requirement that BasisCode is acutely aware of the need to protect its clients through periodic PenTesting of its code.

What is Penetration Testing (Pen Test) as it Relates to BasisCode

Pentesting involves the use of an external vendor to extensively test the application with automated tools in collaboration with ethical testers (e.g., “White Hat Hackers) who are keenly aware of the methods and tools that real-world hackers might employ. Since attackers can be both unknown hackers, as well as credentialed users with access to the application, the testers seek to exploit weaknesses both from the outside environment as well as inside the application.

BasisCode utilizes an unbiased 3rd party organization to perform Pentesting at least twice a year. Through this process of continuous testing, we constantly look to identify and immediately remediate any/all potential vulnerabilities that might put ourclients at risk.

Examples of some of the tests in Pen Testing:

  • Illegal or unauthorized logins
  • Ability to shut down or deny access to authorized users
  • Ability to access, modify, or destroy unauthorized client data
  • Ability to inject malicious code in areas where input is required
  • Ability to gain access to data or code that is not authorized
  • And many more...

Webinar On Penetration Testing (Pen Test)

Webinar  - Penetration Testing and Vulnerability Assessments

For more information on what PenTesting is and what every SEC registrant needs to know, see Michael Brice explain this process and the related threats (both compliance and operational) that face asset managers on a daily basis.

Webinar Overview

Penetration Testing and Vulnerability Assessments Michael Brice, Founder of BW Cyber Services, along with Paul Caiazzo of TruSheild and John Lukan of SEC3 will Explain the Regulatory Requirements as well as Discuss the Critical Benefits this Testing Provides.

While advancements in technology have greatly improved the speed, efficiency, and capability of investment advisers’ and broker-dealers’ systems and workflows; these developments have also significantly increased operational and reputational risk.

An isolated system intrusion can have dramatic consequences for a registrant including financial loss, ongoing liability to clients and investors and potential regulatory enforcement action. In today’s environment, if a “hacked” registrant has any hope of avoiding a regulatory enforcement action, it is imperative they can demonstrate that they have adequate policies and procedures to identify and test potential cybersecurity vulnerabilities and weaknesses. Such policies must also address the experience, security vetting process and the location of any external party performing such tests.

An isolated system intrusion can have dramatic consequences for a registrant including financial loss, ongoing liability to clients and investors and potential regulatory enforcement action. In today’s environment, if a “hacked” registrant has any hope of avoiding a regulatory enforcement action, it is imperative they can demonstrate that they have adequate policies and procedures to identify and test potential cybersecurity vulnerabilities and weaknesses. Such policies must also address the experience, security vetting process and the location of any external party performing such tests.

About BW Cyber Services

At BW Cyber Services, our goal is to help our clients quickly become cyber compliant, cyber knowledgeable, and cyber protected. In this technologically complex world, criminals, nation states, “hacktivists”, and even tech savvy adolescents are continuously searching for weaknesses or vulnerabilities that will enable them to prey upon your business. To help mitigate these risks of attack and address your cyber compliance needs, BW Cyber Services provides turn-key cyber audit and cyber regulatory compliance services tailored to meet both the compliance and real-world security needs of our clients – which include NFA and SEC/FINRA registrants, as well as family offices and endowments. Our consultants are not only cyber experts – they also possess decades of hands-on financial industry expertise. It is this expertise that allows us to provide reasonably priced, pragmatic solutions that will benefit your business well beyond technology implementation or administrative compliance. For more information visit www.bwcyberservices.com.