Cybersecurity Insurance and the SEC

In this video, we will put on our CCO hats and discuss why your firm absolutely needs a cybersecurity insurance policy and why you wouldn't want to go through an examination without one.

Then, we will switch gears and put on our ethical hacker hats and explain why a cybersecurity insurance policy is a complete waste of money.

To be clear, we do not sell or have relationships with any firm that sells cybersecurity insurance. The goal of this webinar is to give you an unbiased opinion on the cybersecurity insurance industry and how claims play out in the real world so that you can make the best decision for your firm.

SEC Cybersecurity Trends for 2022

Towards the end of 2021 and now starting into 2022  we started seeing an increase in the number of SEC examinations that are focusing on cybersecurity compliance.

In this video, I summarize and share some of the specific requests that we have seen in the latest wave of SEC audits and I will show you how I organize the related data and structure our compliance folders so that our clients can easily respond to these requests.
https://youtu.be/xHSkP7LFm8g

Compliance Template: The Employee Technology Usage Agreement

This is a template that can be used as a Technology Usage Agreement between an SEC or FINRA registered firm and their employees.

We recommend that you have your employee sign this document during onboarding and also attest to it annually.

This document should accompany a firm-level cybersecurity policies and procedures manual.

This policy sets forth a basic set of standards for the use and protection of {FIRM NAME} computer assets.

Continue reading “Compliance Template: The Employee Technology Usage Agreement”

Cybersecurity Tips for RIAs and Hedge Funds

When it comes to privacy, as a Hedge Fund or Registered Investment Advisor (RIA), the protection of your client's data is critical. A data breach might not only jeopardize your reputation but also result in hefty fines and penalties. Last year, the SEC fined an RIA for failing to have adequate cybersecurity measures in place before a breach occurred.

SEC Cybersecurity

The SEC’s recently announced Regulation 206(4)-9; regulations that will outline cybersecurity expectations for all registered firms. These regulations will start to move the SEC cybersecurity rules into a more solid form.

Here are all 244 pages of the SEC proposed cybersecurity

https://www.sec.gov/rules/proposed/2022/33-11028.pdf

It comes as no surprise that the SEC cybersecurity guidance places heavy emphasis on making sure safeguards exist to protect client information.

Here are some simple steps to follow if you are worried about your RIA’s cybersecurity compliance workflows.

Continue reading “Cybersecurity Tips for RIAs and Hedge Funds”

A Technical Guide to the SEC’s 206(4)-9 Proposed Cybersecurity Rules

On Feb. 9, 2022, the SEC voted to propose new cybersecurity requirements for investment advisers, investment companies and business development companies known as 206(4)-9.  

In this technical discussion, we will focus on the new cybersecurity books and records rules found in 206(4)-9 and then demonstrate several compliance operations that all CCOs should consider when tackling this new regulation for your firm.  

We will focus on tools and techniques that will simplify your cybersecurity compliance operations.

This is an educational webinar and not a pitch.   The webinar will be followed by a live Q&A session.   

For deeper reading, here are all 243 pages of the new cybersecurity requirements headed your way: 

https://www.sec.gov/rules/proposed/2022/33-11028.pdf

An overview of SEC Cybersecurity Regulation and Compliance Documentation Requirements

The SEC has been increasingly focused on cybersecurity in recent years, with multiple rounds of subpoenas, investigations, and examinations.

In this video, we provide an overview of the SEC’s cybersecurity regulation and compliance documentation requirements as it relates to RIAs, Hedge Funds, Family Offices, and Broker-Dealers.

12 Solid Cybersecurity Steps for All SEC Registered Firms

Step 1: Install and maintain a firewall to protect data.


Step 2: Change default (vendor supplied) passwords on all firm devices and systems.


Step 3: Encrypt all hard drives.


Step 4: Encrypt transmission (internal or external) of client data.


Step 5: Use AntiVirus and Malware detection software on all devices. Use VPN services for all mobile devices.


Step 6: Use only systems that allow for 2-factor authentication (Yubiko key, Google Authenticator, etc).


Step 7: Restrict access to data only to those who need it to function in their jobs.


Step 8: Assign unique usernames to all employees who accesses your client’s data. No sharing of passwords.


Step 9: Restrict physical access to the data. Lock your office, enable mobile wipe, etc.


Step 10: Monitor and log all access to data and network resources.


Step 11: Perform Vulnerability scans on systems quarterly.


Step 12: Documentation is EVERYTHING!

21 Steps to Secure your RIA’s Wifi Router.

1. Change the default password and user id – new one should be at least 16 characters long.

2. Turn off WPS

3. Turn off UPnP

4. Turn off NAT-PMP

5. Wi-Fi encryption should be WPA2 with AES.

6. Wi-Fi passwords should be strong and secure

7. Don’t use an SSID that identifies you.

8. Use a password protected Guest Network. Use it for guests and IoT devices.

9. Turn Off Remote Administration

10. Test for open ports.

11. Turn off Port forwarding…if you can

12. Check for new firmware monthly.

13. Get rid of the ISP provided equipment. It is vulnerable.

14. Change the DNS servers that your router gives out to attached devices. ISP assigned DNS servers are usually the default, and worst, option. Use DNS servers are 9.9.9.9 (from Quad 9, backed up by 149.112.112.112) and 1.1.1.1 (from Cloudflare backed up by 1.0.0.1).

15. Change the LAN side IP address of the router.

16. For routers with a web interface, lock down access to the router from the LAN side with 2fa.

17. Turn off Ping reply.

18. Turn off the wireless networks when not in use.

19. Block the ports used by Windows file sharing.

20. Block network printers from making any outbound connections.

21. If the router can send emails to you when certain error or security concern occur, use it.