The Perfect and Continuous Storm: Understanding the Cyber Implications of the Regulatory Governance For Security Advisors

October 21, 2015
No Comment

Founder and Chief Security Strategist at eSentire Eldon Sprickerhoff recently penned a blog post titled “The Perfect Storm: Understanding the Implications of the Regulatory Governance Spotlight.”  In this piece he underscored the compliance regime around registered investment advisors (RIA), a key descriptor used by the Security and Exchange Commission and other regulatory bodies to refer to those that give advice about securities.

This is a field we encourage all technology professionals to track, even if your current duties are far from the investment advice world. The rules being crafted for this environment are applicable across multiple domains and can generate best practices worth applying elsewhere. And the SEC investigations and in some cases fines associated with RIA’s are also being seen as widely applicable outside of the RIA domain.

One key case mentioned by Sprickerhoff was the 22 Sep 2015 announcement that the SEC and an investment advisor agreed to settle charges based on poor cybersecurity posture of a firm (see SEC Charges Investment Advisor With Failing To Adopt Proper Cybersecurity Practices). In this case, a breach had resulted in the compromise of over 100,000 people’s personal information, and the firm which held that information had not been in compliance with SEC rules that said RIA’s must adopt written policies and procedures to ensure the security and confidentiality of this information.

Sprickerhoff added that:

The SEC’s investigation revealed that the firm neglected to implement policies and procedures designed to protect sensitive client data. It also failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server and maintain a response plan for cybersecurity incidents – all of which are fundamental cybersecurity considerations.  One may also note that in this case the reputational damage to the firm greatly overshadows the costs of remediation.

The report highlights the imminent risk facing all firms and disciplinary actions for those failing to comply. Regulatory agencies around the globe are quickly following suit, assuming a governance role designed to protect sensitive assets and far reaching implications associated with a security breach.

He went on to underscore how eSentire is helping regulated firms meet requirements:

The flurry of activity from regulators this month emphasize that what was once a growing concern has become a perfect storm for firms around the globe.

eSentire has released an updated RIA Cybersecurity Matrix, a pragmatic security to-do list that helps firms define and achieve a cybersecurity strategy. Cybersecurity isn’t a “one size fits all” exercise. The Matrix compartmentalizes the concerns of funds, using a firm’s AUM as a rough guide.   Recognizing that each firm operates within a different maturity model, the RIA Cybersecurity Matrix permits CTO’s to identify what is an appropriate cybersecurity response, and structure a proactive, methodical plan for what needs to be accomplished in the next year.

For well over a decade, eSentire has provided clients with award-winning and unparalleled tactical cyber defence from a variety of attacks. From active defence initiatives against the FIN4 group (13 months before it was described in the mainstream media) to in-depth analysis and tools to address the most recent SSL vulnerabilities, eSentire’s cybersecurity practice is unmatched within the Registered Investment Advisors community.   As a member of the both theFinancial Services Information Sharing and Analysis Center (FS-ISAC) and theOASIS Cyber Threat Intelligence Technical Committee (CTI), eSentire remains on the leading edge of the threat landscape.

We pride ourselves on our reputation as the leading security advisor within the RIA market and to that end we’ve aligned with the regulatory associations driving cybersecurity change. eSentire remains committed to delivering essential programs that allow firms to stay ahead of governance recommendations and requirements.

We have seen first-hand how eSentire’s solutions in the regulated investment advisor domain enhance the security and reduce the risk of businesses. We have also seen first-hand how their capabilities are applied in other highly regulated businesses including those in domains of Healthcare and Defense.

For more on eSentire see