The steady barrage of headlines about cybersecurity underscores a topic viewed with wary eyes by many executives, board members, and investors.
Employees may have access to sensitive data through smartphones that they carry everywhere. Globalization has increased the geographic reach of companies – making them visible to ever more hackers.
And those hackers are constantly getting more sophisticated.
“They’re changing techniques at lightning speed,” Marcus Prendergast, the chief information security officer of electronic brokerage and financial technology firm ITG said Wednesday. “And it’s very difficult to keep ahead of this.”
Prendergast spoke at a roundtable the SEC convened to gather more information on cybersecurity dangers and best practices in order to inform possible future rulemaking aimed at protecting companies and investors.
Panelists said threats can be highly sophisticated or surprisingly simple. John Reed Stark, who manages data breach and cyber-incident response for investigations and risk management provider Stroz Friedberg, said lawyers are vulnerable to a particular type of simple phishing scam.
Stark said lawyers often include information identifying their clients in their online biographies. This makes it easy for a scam artist to impersonate an employee of one of the lawyer’s corporate clients in an email to the lawyer.
The email contains an attachment purporting to be a contract the lawyer needs to look at. The moment the lawyer clicks on the attachment, a virus enters the law firm’s computer system.
“You have to find the right balance there and develop a risk-based approach that’s going to incorporate that [danger],” Stark said. “And part of that is educating people, because you’re only as strong as your weakest link.”
Educating people – both employees and consumers – is one of many tactics experts advocated during the SEC roundtable. During one panel discussion for investment advisers, broker-dealers, and transfer agents, experts shared best cybersecurity practices.
Although practices may vary by industry and many of the speakers work for and with large firms with many resources, the tactics discussed may be useful in other industries and at smaller companies. Tactics included:
Involve the whole business in cybersecurity. “This is a corporate issue,” said Karl Schimmeck, managing director of financial services operations at the Securities Industry Financial Markets Association. “Those exercises don’t just sit in IT. They sit in business side. They sit in risk. … It’s everyone’s responsibility within a firm to maintain security. Make them a part of the exercises that are going on, and feed that into the continuous improvement.”
Be alert, constantly. “You’ve got to believe that you are going to get attacked,” said Craig Thomas, group chief information security officer for global investor services provider Computershare. “You’ve got to be thinking ahead of the game. Technology moves faster than security.”
Have a formal, written plan for how to react to a data breach. Computershare has playbooks for how to proceed in various breach scenarios, Thomas said. The company also conducts “dry runs,” practicing how to react under different kinds of attacks. And if the company is attacked, it follows the playbook and assesses the results afterward. “Did it work?” Thomas said. “If it didn’t work, fix it.”
Update your protection regularly. “Just because…a vendor is promising a product that’s going to take care of your security needs today…it doesn’t mean that tomorrow there might not be something around that can penetrate your defenses and make your firm very vulnerable,” Prendergast said.
“Ring fence” sensitive information. Building extra security around personal and sensitive data can prevent problems, said Mark Manley, deputy general counsel and chief compliance officer at asset management company AllianceBernstein. He said care must be taken to prevent employees from inadvertently exposing sensitive data by copying it and moving to their personal folders. “That information, which was ring-fenced, part of it now is not,” Manley said.
Integrate information security with risk management. Having a comprehensive risk management program that incorporates information security, is dynamic, and is managed, is better than simple controls, said Jimmie Lenz, chief risk and credit officer for Wells Fargo Advisors. He said the program has to be flexible, though, to accommodate different needs in different parts of the business. “We understand how to apply it in those different venues,” Lenz said.
—Ken Tysiac (firstname.lastname@example.org) is a JofA senior editor.