Six cybersecurity basics


The steady barrage of headlines about cybersecurity underscores a topic viewed with wary eyes by many executives, board members, and investors.

Employees may have access to sensitive data through smartphones that they carry everywhere. Globalization has increased the geographic reach of companies – making them visible to ever more hackers.

And those hackers are constantly getting more sophisticated.

“They’re changing techniques at lightning speed,” Marcus Prendergast, the chief information security officer of electronic brokerage and financial technology firm ITG said Wednesday. “And it’s very difficult to keep ahead of this.”

Prendergast spoke at a roundtable the SEC convened to gather more information on cybersecurity dangers and best practices in order to inform possible future rulemaking aimed at protecting companies and investors.

Panelists said threats can be highly sophisticated or surprisingly simple. John Reed Stark, who manages data breach and cyber-incident response for investigations and risk management provider Stroz Friedberg, said lawyers are vulnerable to a particular type of simple phishing scam.

Stark said lawyers often include information identifying their clients in their online biographies. This makes it easy for a scam artist to impersonate an employee of one of the lawyer’s corporate clients in an email to the lawyer.

The email contains an attachment purporting to be a contract the lawyer needs to look at. The moment the lawyer clicks on the attachment, a virus enters the law firm’s computer system.

“You have to find the right balance there and develop a risk-based approach that’s going to incorporate that [danger],” Stark said. “And part of that is educating people, because you’re only as strong as your weakest link.”

Educating people – both employees and consumers – is one of many tactics experts advocated during the SEC roundtable. During one panel discussion for investment advisers, broker-dealers, and transfer agents, experts shared best cybersecurity practices.

Although practices may vary by industry and many of the speakers work for and with large firms with many resources, the tactics discussed may be useful in other industries and at smaller companies. Tactics included:

Involve the whole business in cybersecurity. “This is a corporate issue,” said Karl Schimmeck, managing director of financial services operations at the Securities Industry Financial Markets Association. “Those exercises don’t just sit in IT. They sit in business side. They sit in risk. … It’s everyone’s responsibility within a firm to maintain security. Make them a part of the exercises that are going on, and feed that into the continuous improvement.”

Be alert, constantly. “You’ve got to believe that you are going to get attacked,” said Craig Thomas, group chief information security officer for global investor services provider Computershare. “You’ve got to be thinking ahead of the game. Technology moves faster than security.”

Have a formal, written plan for how to react to a data breach. Computershare has playbooks for how to proceed in various breach scenarios, Thomas said. The company also conducts “dry runs,” practicing how to react under different kinds of attacks. And if the company is attacked, it follows the playbook and assesses the results afterward. “Did it work?” Thomas said. “If it didn’t work, fix it.”

Update your protection regularly. “Just because…a vendor is promising a product that’s going to take care of your security needs today…it doesn’t mean that tomorrow there might not be something around that can penetrate your defenses and make your firm very vulnerable,” Prendergast said.

“Ring fence” sensitive information. Building extra security around personal and sensitive data can prevent problems, said Mark Manley, deputy general counsel and chief compliance officer at asset management company AllianceBernstein. He said care must be taken to prevent employees from inadvertently exposing sensitive data by copying it and moving to their personal folders. “That information, which was ring-fenced, part of it now is not,” Manley said.

Integrate information security with risk management. Having a comprehensive risk management program that incorporates information security, is dynamic, and is managed, is better than simple controls, said Jimmie Lenz, chief risk and credit officer for Wells Fargo Advisors. He said the program has to be flexible, though, to accommodate different needs in different parts of the business. “We understand how to apply it in those different venues,” Lenz said.

Ken Tysiac ( ) is a JofA senior editor.


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.