11 Tips for Effective Cybersecurity

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thinkadvisor.com/2015/08/03/11-tips-for-effective-cybersecurity

With major data breaches making headlines on a near-weekly basis, many in
the securities industry have wisely begun to focus on developing an
effective approach to cybersecurity. Although cybersecurity plans can vary
widely among firms depending upon their business, clientele and technical
architecture, among other things, effective plans include the following
features.

1. Build a Strong Cybersecurity Team

The first step in developing an effective approach to data security is
choosing the right information security team. Effective teams are
cross-sectional and include personnel from legal, information technology,
human resources, and communications or public relations departments. The
team should also include at least one member of senior management.

2. Conduct a Privacy Survey

Companies should conduct a privacy survey, which is the process of
identifying the legal and regulatory landscape that applies to companies in
the industry and to the types of data that the company collects and
maintains. Firms in the securities industry should consider:

— Regulatory regime. SEC and FINRA scrutiny of industry cybersecurity
measures is based on two SEC regulations. Regulation S-P requires firms to
establish written policies and procedures to ensure the security and
confidentiality of customer records and information. Regulation S-ID
focuses on preventing identity theft. Under Regulation S-ID, companies are
required to create and maintain reasonable policies and procedures to
promote identification, detection and responses to red flags for identity
theft.

— Federal and state laws. For example, the Gramm-Leach-Bliley Act (GLBA)
requires organizations to protect banking and financial information, and
has direct application to the securities industry. Additionally, many
states have laws that require companies to protect personally identifiable
information (PII) of customers and employees, and to notify individuals if
their PII is breached. Although the definition of PII varies from state to
state, PII generally covers data that can be used to identify a specific
individual including Social Security numbers, driver's license numbers,
financial account information and other identifying information.

— Contractual obligations. When the company will be responsible for
maintaining a third party's data, the company should consider whether the
contract creates additional cybersecurity obligations or cybersecurity
liability in the event of a breach. When the company's data will be
maintained by a third party, the company should take care to enter
contracts that ensure the company's data will be protected.

— Industry standards, audit protocols and internal policies related to
privacy and security

3. Understand Technical Systems

The information security team should develop a specific and detailed
understanding of its own network and identify where sensitive data is
stored. Sensitive data includes data protected by law, data protected by
contract, personally identifiable information and proprietary data.

Next, the team should ensure that sensitive data is segregated from regular
data and subject to additional physical, technical or procedural
protections, such as:

- Segmenting the network to separate sensitive data from non-sensitive or
public data and using technical protections, such as firewalls, to protect
the sensitive segments

- Using password protection and encryption on sensitive data

- Restricting physical access to hardware (including servers and computers)
and physical files

4. Implement “Privacy by Design”

The company should take a “privacy by design” approach when developing
cybersecurity solutions. This means that the company should create policies
and procedures that account for customer privacy, legal compliance and data
protection throughout the data life cycle (i.e., collection, processing,
storage and destruction). As part of this effort, the company should
develop comprehensive policies to address privacy and data security,
including:

- A “bring your own device” (BYOD) policy governing whether, and under what
circumstances, employees can use their own devices to conduct company
business

- A password policy requiring the use of strong, complex, unique passwords

- Personnel policies (including onboarding and off-boarding policies) that
enhance security

A network tracking policy requiring regular monitoring of network traffic
for evidence of suspicious access

5. Train Employees

Regardless of the industry, employees are a frequent source of data
breaches. To combat this, the company should clearly establish that it
takes data security and unauthorized computer access seriously. Many
cyberattack techniques exploit employees’ inattention and lack of technical
expertise. Employees need regular training on how to identify and prevent
attempted cyberattacks.

6. Manage Vendors

Relationships with third-party vendors can pose substantial cyber-risks
that should be mitigated to the extent possible. Vendors should only
receive the network access and data necessary to perform their role. The
company should scrutinize the adequacy of a third party's cybersecurity
policies and procedures before entering into a business relationship with
that company. Contractual safeguards should be taken to minimize risk,
including requiring safeguards to protect sensitive data, providing rights
to audit the vendors’ security practices and requiring vendors to notify
the company if a breach occurs. The contract should allocate risk in the
event that a breach at the vendor harms the company. (Among other things,
companies should consider requiring vendors to carry cyber insurance and to
name the companies as additional insureds.)

7. Engage in Information Sharing

One way for companies to ensure that their data security solutions remain
up to date is by participating in industry cybersecurity information
sharing through, for example, Information Sharing and Analysis
Organizations (ISAOs). ISAOs allow industry players to keep abreast of
evolving cyberattack tactics and industry security standards. Companies
that do not actively participate in industry information sharing risk
falling behind in their cybersecurity initiatives and may miss critical
information that could prevent or mitigate the consequences of a cyberevent.

8. Consider Cybersecurity Insurance

The company may also benefit from cybersecurity insurance coverage.
Depending on the policy, cyber insurance may cover forensic investigation
and system restoration costs; defense and indemnity costs associated with
litigation resulting from the loss of personal information or other
sensitive data; defense costs and penalties associated with regulatory
investigations; notification costs and credit monitoring for affected
customers and employees; losses attributable to the theft of the
policyholder-company's own data (including transfer of funds); business
interruption costs attributable to a cyberattack; costs required to
investigate threats of cyberextortion and payments to extortionists; and
crisis management costs, such as the hiring of public relations firms.

It is critical to carefully review the particular provisions of each cyber
liability policy with a broker and coverage counsel. Unlike many
traditional policies, cyber liability policies differ significantly because
they are not (yet) based on a standard form.

9. Develop an Incident Response Plan

Firms should create an incident response plan, which is a detailed plan
that outlines how a company will respond to suspected cyberevents. These
plans help companies quickly and effectively investigate and remediate
attacks. Among other things, an incident response plan should identify the
leaders of the response team and present easy-to-follow, scenario-based
responses to different types of cyberincidents. For each scenario, the plan
should clearly delineate the first steps that must be taken and include a
timeline of major investigative events. The plan should also provide
guidance on the timing and substance of appropriate disclosures.

The plan should provide for the involvement of legal counsel in all aspects
of the investigation of a suspected cyberevent (including communications
about the potential event, remediation efforts, and disclosure and
reporting) to ensure that the investigation is protected under the
attorney-client and work product privileges. Privilege is critical because,
although the company is a victim, it may soon find itself the defendant in
a variety of lawsuits, including lawsuits by regulators or investors.
Accordingly, incident response plans should identify an experienced data
security attorney to call and include their emergency contact information.

10. Execute the Incident Response Plan Efficiently

Once a company becomes aware of a suspected cyberattack, time is of the
essence. Losses from the attack—and potential liability to claims by
regulators and plaintiffs—are likely mounting. It is important to contact
the attorney identified in the incident response plan immediately; he or
she will help execute the response plan while maintaining privilege.

The attorney should counsel the company to avoid drawing premature
conclusions regarding the cause and source of an attack and whether the
attack has resulted in unauthorized access or exfiltration of data.
Companies should also avoid using the term “breach” unless it confirms that
a breach has actually occurred. A breach occurs when information is
accessed or taken by unauthorized parties. Breaches often trigger legal or
contractual obligations, including disclosure of the breach. However, many
cyberattacks (e.g., denial of service attacks) do not result in a breach.
Imprecise or inaccurate communications during an investigation can hinder
an organization's ability to defend against charges of liability by
affected third parties or regulators. In our experience, it is particularly
critical to counsel employees involved in the incident response to be
cautious about how and what they communicate.

Legal counsel (and, often, public relations experts) will assist with any
disclosures to investors, other contractual counterparties or regulatory
agencies that may be required as a result of a material breach. Legal
counsel will work to limit any harm to the company (including any
reputational damage) while at the same time limiting legal liability by
avoiding sweeping or inaccurate statements.

11. Develop a Business Continuity Plan

Cyberattacks may also result in victimized companies losing access to their
data and systems. For example, many companies have been affected by the
Cryptolocker malware, which encrypts (and renders useless) the company's
data until a ransom is paid. If companies are not prepared for these types
of attacks, they may suffer a substantial interruption of services that can
be extremely costly. The company should have a written business continuity
plan to facilitate rapid and efficient data recovery and resumption of
operations.

The first step in creating an effective business continuity plan is
identifying critical systems. Systems should be prioritized in order of the
maximum time that each can be down without causing substantial harm to the
business. The company must then select a back-up system. In deciding which
back-up system to choose, the company should consider how quickly the data
needs to be restored, how much data must be stored and how long data must
be maintained. It is critical that the company's back-up system be
sufficiently segregated from the company's day-to-day systems so that a
cyberattacker cannot access the back-up system during an attack.

CYBERSECURITY ESSENTIAL TO REGULATED ENTITIES

The SEC and FINRA have made clear that they are focused on cybersecurity in
the securities industry, and this focus is only likely to grow as
cyberthreats become more sophisticated. Therefore, a strong cybersecurity
program is an essential part of any long-term strategy for regulated
entities. Securities firms developing their approach to cybersecurity
should ensure they incorporate the features discussed herein.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!