SEC examiners to review how asset managers fend off cyber attacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.reuters.com/article/2014/01/30/us-sec-cyber-assetmanagers-idUSBREA0T1PJ20140130?feedType=RSS

U.S. regulators said Thursday they plan to scrutinize whether asset
managers have policies to prevent and detect cyber attacks and are properly
safeguarding against security risks that could arise from vendors having
access to their systems.

"We will be looking to see what policies are in place to prevent, detect
and respond to cyber attacks," said Jane Jarcho, the national associate
director for the Securities and Exchange Commission's investment adviser
exam program.

"We will be looking at policies on IT training, vendor access and vendor
due diligence, and what information you have on any vendors," she added, in
a presentation to a group of compliance professionals at SEC headquarters
in Washington, D.C.

The SEC's upcoming 2014 review of cyber security policies at asset managers
will be conducted as part of the agency's routine examinations of
investment advisers and investment companies, such as mutual funds.

Inspections are designed to catch major problems before they bubble up;
however, exams can also lead to enforcement action if the SEC uncovers
egregious activity or repeat violations.

The new details revealed on Thursday about the SEC's focus on asset
managers' cyber security policies come in the wake of attacks on several
well-known retailers, including Target Corp and Neiman Marcus.

The arts and crafts chain Michaels has also said its network may have been
breached, and the FBI has warned retailers to expect more attacks.

On Wednesday, Target revealed that the theft of credentials from an
undisclosed vendor helped the attackers gain access to about 40 million
credit and debit card records and another 70 million customer records.

Cyber thieves have been using vendors as a route to go after high-value
targets for several years.

In 2011, hackers attempted to break into the networks of defense contractor
Lockheed Martin Corp after stealing information from EMC Corp's RSA
security division that allowed them to duplicate SecurID electronic keys.

Last year hackers attacked security software maker Bit9, then used stolen
data to forge digital signatures on malicious software so they could launch
a second round of attacks on Bit9's customers.

The decision by the SEC to focus on cyber issues in its inspections of
asset managers pre-dated the Target incident.

But since the Target breach was made public in mid-December, some U.S.
lawmakers and law enforcement officials have ramped up their focus on the
issue and called for Congress to pass legislation that would require
retailers and other private businesses to inform government agencies and
customers about major breaches.

In 2011, in response to another rash of cyber attacks, the SEC drafted some
informal staff-level guidance for public companies to use when considering
whether to disclose cyber attacks and their impact on a company's financial
condition.

In addition, most states have laws on the books that require companies to
tell customers about breaches, even if they are privately held.

However, critics say this disparate regime is harmful for consumers and
investors because there is no unifying federal standard for when businesses
must report data breaches.

In April, when SEC Chair Mary Jo White took over the helm of the agency,
U.S. Senate Commerce Committee Chairman Jay Rockefeller asked her to
consider releasing more formalized commission-level guidance to help ensure
investors get information they need.

On the sidelines of Thursday's event, White said she felt the guidance the
commission issued in 2011 has been "helpful in improving disclosures."
However, she added, she plans to "continuously review" the issue to see if
the SEC should do more, as Rockefeller is suggesting.

Meanwhile, Jarcho said that SEC examiners are planning to also make checks
to ensure that asset managers are properly reporting major "material" cyber
events to regulators.

"We recognize that as we sit here, there are probably thousands if not
millions of attempts right now going on, but they are minor," Jarcho told
the audience. "We don't expect each and every one to be reported," she
added.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!