For more information contact:
RobF@naplia.com | 1-508-656-1327
Eric Hess has over 15 years of experience acting as senior in-house counsel, general counsel or senior management for exchanges, broker dealers, and financial services technology providers.
His experience includes creating legal, compliance and technology & operational risk management functions, designing compliant trading technology, advocating for regulatory change, closing transactions, managing regulatory inquiries & investigations and facilitating company growth, both organically and through strategic transactions.
Mr. Hess holds Series 7 and 24 licenses and is admitted to practice in the States of New York and New Jersey.
Eric welcomes your call at 646-783-7030, or firstname.lastname@example.org.
Raj Bakhru, CFA
Raj Bakhru is the Chief Executive Officer of Aponix Financial Technologists, a firm focused on independent, holistic technology risk assessments and advisory for financial firms.
Before co-founding Aponix, Raj led the firm-wide software development and was part of the founding team at Kepos Capital, now a $2 billion global-macro quantitative asset manager. He has also held roles at Highbridge Capital, and Goldman Sachs Asset Management.
Raj is an alumnus of Columbia University.
Raj welcomes your call at 914-743-5100, or email@example.com.
Cyber-Security Q & A with Eric Hess and Raj Bakhru
The following is a conversation between NAPLIA's cyber program manager, Rob Ferrini, and Attorney Eric Hess and Raj Bakhru surrounding cyber security concerns.
Rob Ferrini: How can people keep abreast of all the new laws and regulations impacting cyber security? How do they understand their responsibilities?
Eric Hess and Raj Bakhru: Their approach should be similar to how their firm currently keeps abreast of all other rules and guidance issued by regulator(s) (SEC, CFTC, OCC, state regulators, FINRA, CME, CFPB, etc.). One primary difference is a firm's notification obligations under state law in the event of a breach that involves personally identifiable information (PII). Such breaches can involve a complex analysis across multiple jurisdictions that is highly dependent on which states' residents are impacted. Certain states -- such as Massachusetts -- impose additional obligations on firms with regards to handling its residents' PII.
Existing regulatory resources that assist firms with respect to interpreting such new laws (current in-house or external compliance staff or attorneys) may be inadequate to implement either the regulators' standards for information security or to comply with breach notification requirements. Ensure that you engage properly qualified resources.
Firms processing PII must have written policies and procedures addressing their response in the event of an information security breach. This requires ensuring that they are familiar with the applicable breach notification laws.
For firms that don't have dedicated technology staff, who should they appoint? How can these firms start preparing to implement an information security program?
EH & RB: Firms without dedicated technology staff will be heavily dependent on third party IT providers. The responsibility over managing integration, maintenance and acquiring of new or enhanced applications will, in such cases, reside with the Chief Operating Officer. Identifying the necessary resources and overseeing the implementation of an information security program should reside with the COO.
The first step in preparing for an information security program is to take inventory of all processes, whether automated or manual, that handle sensitive or confidential information. Armed with that inventory, firms need to understand the value of such assets (including the damage to the firm that could result from the asset being damaged, made unavailable, lost or stolen). This is more than simply prioritizing as establishing an estimated value will dictate resourcing to protect it. Prior to or after this process, your firm should appoint key decision makers and overseers the process. With all this in place, the easy part is over. Prior to developing an information security program, your firm now needs to assess its current state. Some firms might want to rush right to documenting and implementing their information security program, but firms that fail to devote the necessary resources to the assessment phase will have an ineffective program. Your firm must not only have a baseline, updated on an ongoing basis, to measure its program's effectiveness against, but it needs to ensure that its information security efforts are focused on the appropriate areas for the firm's unique state from the start.
An information security program consists of a number of key elements centered on technology governance, evidenced by documentation, that puts into place the right processes, controls, and procedures, e.g. quarterly access reviews. Putting in place the right set of governance may require outside expertise, but it will protect the firm on an on-going basis.
Can they just use template policies and procedures?
EH & RB: That is inadvisable. As with any written
policy or procedure subject to examination, if you don't
actually do what the policies and procedures state, then
you shouldn't have them. In addition to creating a red
flag for an examiner, it may also create a false sense
of security (and hence vulnerability) within your
An information security program can only be effective if it is based upon an assessment of the firm's then current state. Firms without the in-house expertise to conduct such an assessment, no matter what their size, should consider engaging experienced third parties. There should be separate entities conducting the assessment and proposing solutions based on the assessment to minimize conflicts of interest (i.e., to ensure that the assessment is not impacted by revenue generation pressures or a lack of objectivity in the assessment phase). For example, engaging your IT infrastructure provider to conduct such an assessment will likely result in a validation of the measures that they are already undertaking; any gaps that they previously failed to identify would unlikely surface as part of such an assessment.
A reliance on templates not customized to your organization might result in an inappropriate program in terms of sizing and protection measures, as well as lack of specificity for your unique environment. There is a balance between implementing overly restrictive or costly measures, on the one hand, and having insufficient information and systems protections, on the other.
There are frameworks that follow a disciplined and effective methodology for developing such policies (eg. CoBit, ITIL, ISO, NIST) and should be incorporated as part of the process.
How should policies and procedures evolve over time? What's a a good example of that?
EH & RB: An effective information program requires assessing of your policies and procedures periodically. Three of the primary reasons that policies and procedures might change over time are: (i) experience with the existing program and its adequacy (or inadequacy); (ii) emergence of new threats; and (iii) emergence of new solutions. Some of these reasons may blend together. For example, a new vendor application could test the deficiencies in an organization's vendor management program with new technology or even the ability of certain parts of the organization to manage risks. This experience could cause a shift of responsibilities or lead to the development of processes to ensure that such deficiencies are addressed adequately. Similarly, the new vendor application could introduce new risks to the organization because of the vendor's information security inadequacy or because new capabilities and opportunities might create more information dependencies. Lastly, the new risks may be mitigated by new or existing technologies.
What are some of the issues you've seen fall out of the risk assessment in the past?
EH & RB: At one firm, we were able to fully steal the
COO's account credentials through a simple spoofed phone
call to the outsourced IT provider's help desk.
We've also seen scenarios where segregation of duties was violated. Access controls go beyond just policies -- they need to be enforced. For a hedge fund, the CFO should not be able to trade, but we've encountered scenarios where they unknowingly had trading access.
It is common to see issues around the wifi network setup and generally, the internal network protections. Vendors should not be able to connect laptops into the corporate network, for example -- that creates exposure to a great deal of malware.
Cryptolocker is a great example of what could happen in a bad scenario. We have seen it enter a firm via phishing, but it could just as easily target unpatched Windows vulnerabilities and spread via laptops connected to your internal network. Cryptolocker was a ransomware program that hit a number of firms, from mom and pops and home computers all the way to $20b hedge funds we know that are getting impacted by it. Crytolocker encrypts all the files the user has access to (shared or personal) and then requires a bitcoin payment to unlock them. Many firms have had to pay up, and that's exactly what all these protections are working to avoid. Cryptolocker, to a large extent, was not as malignant as it could have been. Had it had the capability to detect that it had infiltrated a financial firm, it could have easily exploited far more money purely because of the headline risk the firm was exposed to. Worse, if the motive was purely malicious and not financial, it would have just wiped out those files, stolen them, or permanently corrupted them.
What are some of the biggest, most common cyber-security concerns? How can firms specifically mitigate those?
EH & RB: Broadly, those that impact every
organization, beyond the vendor and cloud concerns, are
mobile and remote access. As soon as you extend your
firm's data or network off-premise, it becomes a
challenge to protect the network and its data.
On the mobile access front, a number of solutions have come to market to replace the role Blackberry devices played. The beauty of the old Blackberry devices is that they completely segregated work data and systems from personal data and systems. However, the move to BYOD or single devices has brought about a need for new means of segregating and protecting. Containerized mobile data management (MDM) seeks to fill that void. Current solutions are still in their infancy. While they can achieve a wide set of functionality in terms of encrypting the data on the device, allowing for a remote wipe, enforcing password protection and compliance on the device, etc., many are often have bugs or are not as user friendly. That will quickly change as we see more widespread adoption of those platforms.
On the remote access front, this is nothing new, but in many ways it's a larger concern because of the widespread use of VPNs and remote desktop. VPNs quite literally extend the corporate network to employee's homes, and if sandboxing is not in place, any malware that may be residing on that home network could easily find its way into the corporate network. With remote desktop, precautions are not always taken to isolate the session and prevent transfer of data or files, for example. Both VPNs and remote desktop, via Citrix or directly, can be locked down and secured.
Both concerns highlight the importance of segregating and creating a sandbox environment or isolating the corporate network, all to minimize touch points to the external world.
The biggest concerns often come from the human element. The best precautions for that risk is education and training.
What are these 'human' risks? What kind of education or training can be given to help reduce these risks?
EH & RB: The easiest means for a hacker to gain entry
into a firm is a spear-phishing. Phishing (with a ph) is
a technique whereby attackers send emails with malicious
attachments or falsified links to either install malware
on the local machine or to steal credentials or personal
information. Spear-phishing is a targeted phishing
attack. It's as simple as playing the probabilities. A
good spear-phishing attack will get upwards of 70% of
clicks and as high in stolen credentials or malware
installs. Simply sending to a number of firms and a
number of employees at each firm will expose them.
While a good spam filter will detect many of these emails, it's not difficult, especially in a targeted attack, for a hacker to get past the spam filter. Thus, the last line of defense is the employee, or the human factor.
To enhance that last line of defense, firms should provide at least annual staff security training. A great lead-in and/or follow-up to that training is phishing tests. These tests mimic what hackers would do and send targeted spear-phishing emails to the staff to track how many users click the link, provide login credentials, or install software. Aponix has conducted such tests and used response statistics in staff security training to emphasize the risk and ease of attack. This reinforces that users need to be vigilant with their email. In most of the phishing tests that Aponix conducts, it is able to trick between 50 and 70+% of the users on at least one of the phishing attack emails.
Staff security training should address much more than just phishing emails, of course. Additional topics should cover acceptable technology use at the workplace, the culture of risk and compliance ("see something say something"), the impact their actions could have on the internal network and operations, personal security protections (bank accounts, personal email, etc.), communication and identification of sensitive data and how to protect it, explanations of social engineering, physical security protections, a walk-through of what to do in a DR event, etc.
If a firm already has mobile and remote access protections and phishing tests with staff security training, what else should they be doing?
EH & RB: TThe key is to start with a holistic risk
assessment to know where your processes and controls are
deficient and to know what precautions you ought to have
in place that aren't. That will identify everything you
should be doing that you aren't, while also helping you
Every firm should also undergo network vulnerability testing -- both internal and external. External network testing generally approaches your environment from the perspective of a hacker, who are completely outside your network and are scanning for easy means of getting in. Most enterprise firewalls should block all non-permissioned access points, but that needs to be validated. The internal network takes the opposite approach. It detects what could be attacked if malware were to get inside the network, such as from a successful phishing attack. That will identify resources that could be better protected to prevent the malware from spreading further and impacting more resources.
What can be required of third parties in contracts? Are these terms enforceable?
EH & RB: As a practical matter, it depends on the
vendor and what concessions it is willing to make in
order to secure a client. Hess Legal Counsel has
encountered vendors that have requested and agreed to
proposed information security measures without
modification. In such situations, I have advised clients
to reconsider such vendors as the request indicates a
lack of a program within the vendor. I have also
encountered vendors who have heavily negotiated Hess
Legal Counsel's proposed security clauses because it
conflicted with their information security program. In
such instances, I have reviewed the vendor's information
security program for sufficiency and, at times, made
recommendations relevant to my client's needs. In all
instances, Hess Legal Counsel has always required a
continuous monitoring and reporting process.
Monitoring and reporting enables the enforceability of your contractual requirements respecting information security provision. Absent the provision of metrics by the vendor, there is no way to validate that the vendor is carrying out their information program.
If firms outsource IT, does it minimize their information security issues?
EH & RB: Outsourcing a process moves the associated
information security risk to another party, in addition
to creating a much larger point of failure for your
firm. While an established provider may provide better
security, it is also important to remember that it may
also be a bigger target to cyber criminals. Further,
make sure to understand the challenges of disengaging
from a fully outsourced relationship from a systems
perspective prior to making the commitment.
On the flip side, however, some of these risks can be minimized by having a contingency plan in place in the event your provider of outsourced services is unavailable. This may involve backing up your data with another third party and even ensuring that a third party can provide similar services should your main provider encounter issues.
Also, understanding how you would transition away if necessary might avoid a nasty surprise should such a transition become necessary.
Lastly, understand your ability to conduct forensic analysis at your provider's facilities with respect to a breach of your data if the provider is processing PII on your behalf.
Additionally, it's important to understand all the security options available to you, and what your provider will take care of versus what remains your responsibility. For example, protecting your DNS/registrar account often remains your responsibility, whereas your provider takes responsibility for your firewall.
What level of diligence should they perform on vendors/third parties? What are the biggest risks in moving part of operations to a cloud provider?
EH & RB: Vetting of third parties involves not just
software vendors or IT providers, but also key service
providers, depending on the criticality of their
function to your business' operations and the
sensitivity of the data they maintain on your behalf. In
many ways, key service providers act similarly to cloud
providers, in that their operations are off-premise and
your data is externally hosted.
With regards to their cyber-security precautions and data loss prevention, you need to see a copy of your vendor's information security program to ensure that it accords at least the same level of protection to your sensitive or confidential information as your organization does. You also need to assess not only the security processes that they have in place, but also whether they have the right resources (personnel, systems) to carry it out. This should involve an onsite visit to the vendor's data center if PII is involved. Firms should check whether a third party has performed a technology risk assessment or audit that can be shared. If it cannot be shared because it was performed on behalf of a vendor's customer, you might want to request to speak to the person performing the information security function for such customer as a reference.
Diligence on the vendor should include not just their precautions against hackers or malicious external parties, but their internal access controls and protections as well.
SOC1/SOC2 audits are generally insufficient given they often lack network testing and often lack the level of detail/depth required to fully validate that the necessary governance and precautions are in place.
Even firms without PII may require substantial diligence if they're hosting critical data on your firm's behalf or critical systems for your firms daily operations. Both the FCA and SEC have indicated that diligence of third parties is necessary and that these firms need to be held to the same standards as your own. You remain liable for any technology-related issues or breaches at your third parties.
The key risks of moving to the cloud are: (i) unavailability of the system given loss of control;
(ii) reliance on the cyber-security protections and precautions of the cloud provider; and (iii) the heightened risk of information being taken given more widespread access to the data.
With regards to unavailability, moving to the cloud could present better up-time and maintenance of the system given the vendor will directly manage it. This, however, also presents risks in that the vendor's governance (processes, controls, procedures) may not as strictly manage the application as one would internally. For example, while the process of upgrading the software is likely automatic and seamless, that often comes at the expense of pre-upgrade testing and vetting on your part. These risks can be mitigated through a number of means, such as external data copies of the data, code vaulting, SLAs, etc.
If a provider indicates that it encrypts an organization's sensitive information, is all encryption the same?
EH & RB: Encryption can take different forms and
multiple types of encryption are required to best
protect your data (and even then, it could be lost). For
sensitive or confidential information, encryption should
be occurring while the data is in transit as well as
when it is residing in the provider's database.
Encryption is only one piece of the puzzle. As mentioned, processes and controls are extremely important. Encryption solely helps protect data readability, but does not protect against system unavailability. Loss of the encryption keys will also render the encryption protections fruitless. Further, encrypted data can easily be corrupted, resulting in loss of the data, so understanding processes around backups and replication are important to minimize operational risk..
What government resources are available to assist in the event of a breach?
EH & RB:Your local secret service office or FBI
office should be notified if the breach is due to third
party attack and it is a good idea to reach out to them
as soon as you suspect a third party breach as they may
already investigated the breach. In addition to helping
others to avoid similar breaches, it can also enable
your firm with respect to forensics and remediation. For
this reason, understanding your contacts at these
offices and their protocol for managing reports of such
incidents should be part of your pre-breach planning
process with respect to the handling of PII.
The FBI or the Secret Service, as your initial primary contact, may involve the Department of Homeland Security, which will assist in forensic analysis and cleansing.
Neither the FBI nor the Secret Service will engage the SEC or provide data to the SEC for inquiries or examinations.
Eric & Raj: Now to turn the tables on you, what are the key provisions and terms for cyber-security insurance? What is third party coverage, for example? How much do I need and how much should I require of my vendors?
Rob: Cyber-security coverage (also known as Information Security or Data Breach) affords the insured with access to a team of experts who will provide practical and direct expertise guiding the insured through the breach. It provides assistance to both the insured (considered the first party) and the affected individual/client (considered the third party).
Cyber-security insurance can be broken into three core coverages:
Loss Containment: provides for the assistance of forensic experts to determine cause of loss and suggestions to secure data; public relations assistance for managing the immediate crisis; a call center to manage calls; assistance notifying affected individuals; credit monitoring for those affected; and financial assistance required to repair damage to persons with stolen identity.
Headache Coverage: regulatory defense and penalties coverage; costs associated with hiring specialized legal expertise; and cost of fines and penalties levied as a result of the breach.
Additionally it includes website media coverage, business interruption, extra expense, data asset and cyber extortion coverage.
How much do I need and how much should I require of my vendors?
Rob: According to the 2014 Cost of Data Breach study by the Ponemon Institute, data breaches cost companies an average of $201 per compromised record, of which $134 pertains to indirect costs including abnormal turnover or churn of customers. Data breaches caused by third parties increased per capita cost by $25, and data breach incidents involving the loss or theft of data-bearing devices increased per capita cost by as much as $18 per record. Organizations that notified customers too quickly without a thorough assessment or forensic examination incurred an average cost increase of $15 more per record. So, in my opinion the real question is: how much can you afford to lose? The majority of our clients have a policy with an aggregate limit of $1,000,000.
Worth noting is that certain industries have significantly higher data breach costs. Specifically, heavily regulated industries such as healthcare, transportation, education, energy, financial services, communications, pharmaceuticals and industrial companies tend to have a per capita data breach cost substantially above the overall mean of $201. The financial sector had a per capita cost of $236.