ThreatWire

The SEC’s New Cybersecurity Regulations Are Extremely Dangerous for Registered Firms

Join us for an insightful webinar, as we delve into the controversial cybersecurity reporting rule proposed by the Securities and Exchange Commission. With negative reactions pouring in from RIAs, Hedge Funds, and Family Offices, MTradecraft raises concerns over the potential threats presented by these provisions.

Learn about the damaging effects these rules could have on registered firms, and how they could inadvertently hand over significant advantages to hackers and spies targeting sensitive data.

Don’t miss this crucial discussion on keeping your firm protected in an increasingly challenging cyber landscape.

An Overview of SEC Cybersecurity Regulation and Compliance Documentation Requirements

Discover the SEC’s growing interest in cybersecurity and their ongoing efforts to maintain strict regulations through extensive investigations and assessments.

Dive into this insightful video that unravels the complexities of cybersecurity compliance and documentation requirements for RIAs, Hedge Funds, Family Offices, and Broker-Dealers.

Stay ahead in the professional world and ensure data protection by understanding these crucial guidelines.

A CCO’s Technical Guide the SEC’s 206(4)-9 Cybersecurity Proposal

On Feb. 9, 2022, the SEC voted to propose new cybersecurity requirements for investment advisers, investment companies and business development companies known as 206(4)-9.

In this technical discussion, we will focus on the new cybersecurity books and records rules found in 206(4)-9 and then demonstrate several compliance operations that all CCOs should consider when tackling this new regulation for your firm.

We will focus on tools and techniques that will simplify your cybersecurity compliance operations.

This is an educational webinar and not a pitch. The webinar will be followed by a live Q&A session.

For deeper reading, here are all 243 pages of the new cybersecurity requirements headed your way:

https://www.sec.gov/rules/proposed/2022/33-11028.pdf

A Discussion on Cybersecurity Insurance related to Schwab and the SEC

Embark on a riveting journey as we delve into the realm of cybersecurity insurance from two compelling perspectives! First, join us as conscientious CCOs to uncover the absolute necessity of possessing a cybersecurity insurance policy and the perils of facing an examination without one.

Next, step into the enigmatic world of ethical hacking as we explore the arguments claiming that cybersecurity insurance is, in fact, an unwarranted expense.

Rest assured, our insights are untarnished by any affiliations with firms offering cybersecurity insurance. This webinar aims to equip you with an impartial understanding of the cybersecurity insurance landscape and real-world claims execution, empowering you to make the most prudent choice for your esteemed firm.

The Dark Side: Watch us Hack a Hedge Fund

Dive into the thrilling world of cybersecurity as we unmask the mysterious realm of hedge fund hacking. Witness the real-life virtual battlegrounds that echo Hollywood blockbuster scenes, unfolding the sinister tactics of these digital marauders. Join us on this electrifying journey as we unveil the secrets behind these assaults and arm you with the knowledge to safeguard your virtual fort.

The Dark Web and Financial Institutions

Dive into the mysterious world of the Dark Web with us, as we explore the latest threats and cyber-attacks originating from this elusive network. Together, we’ll unravel the strategies used by hackers to leverage data from past breaches and launch sophisticated attacks that are incredibly challenging to trace and prosecute.

Prepare to be astounded as we delve into the dark alleys of the Tor Network, covering fascinating and eye-opening topics such as:
-The world of drugs in the hands of your teenagers
-How to hire a hacker with dubious intentions
-The menacing world of illegal weaponry bazaars
-Disentangling the intricate web of Bitcoin money laundering
-The deceptive realm of counterfeit bills.

Join our captivating discussion, and arm yourself with valuable insights to defend your organizational network from the threats lurking beneath the surface of the Dark Web.

Introduction to Cybersecurity E-Book

Since the dawn of the Internet, unscrupulous people have been using it to commit crimes. Despite technical advances when it comes to virus protection,
unbreachable firewalls, and other guarding methods, cybercriminals are still getting through.

Why?

Because we simply let them in the front door.
Human error is the most common reason attacks happen.

Humans are often unaware of the risks online. They can’t see why clicking a link or opening an attachment might be dangerous. Virus protection and firewalls are necessary, but they do little good if we humans keep making mistakes.

You can find more in-depth discussions, including demonstration from the attackers point-of-view on our website and on the MTradecraft YouTube Channel.

Download Our E-Book

Microsoft 365: Security Benchmarks for SEC Registered Firms

How to Use Benchmarks to Secure your Microsoft 365 Environment

As a registered firm with the Securities and Exchange Commission (SEC), it is important to have an adequate understanding of security benchmarks and how they can help ensure your IT infrastructure is deployed securely. This blog post will provide an overview of security benchmarks as they relate to Microsoft 365 and Office 365, explain why they are important, and discuss what I look for when auditing a firm’s Microsoft environment

What Are Security Benchmarks?

Security benchmarks are standards that guide configuring a system or network in a way that minimizes risk. Security benchmarks are often provided by vendors and organizations such as the National Institute of Standards and Technology (NIST) or the Center for Internet Security (CIS). These guidelines provide specific instructions on configuring systems and networks to maximize security. For example, one guideline may include disabling unnecessary ports on servers or devices connected to the network. Other guidelines may include using strong passwords or limiting access to certain areas of a website based on user roles.

How Can You Use Them?

There are several ways you can use security benchmarks when assessing your existing IT infrastructure. The first step is to review any existing policies or procedures you have in place regarding security configuration. Once you have identified any gaps, you should then research any relevant security benchmarks available from vendors or third-party organizations such as NIST or CIS. You should also consider conducting an audit of your current system configuration using automated scanning tools such as Nessus (that’s what we use for our clients) which can help identify potential areas of weakness in your network configuration. Finally, you should review your existing vulnerability scans to see if they identify areas that need remediation.

Example: The CIS Microsoft 365 Foundation Benchmark

Numerous registered firms rely on Microsoft products, and we specialize in providing benchmark examinations of our clients’ Microsoft environments. For example, here are some of the most critical security items I inspect when auditing my clients. These are copied from the CIS Microsoft 365 Foundation Benchmark.

Account/Authentication Policies

  • Ensure multifactor authentication is enabled for all users in all roles.
  • Ensure that between two and four global admins are designated.
  • Ensure self-service password reset is enabled.
  • Ensure modern authentication for Exchange Online is enabled.
  • Ensure modern authentication for SharePoint applications is required.
  • Ensure modern authentication for Skype for Business Online is enabled.
  • Ensure that Office 365 Passwords Are Set to Expire.

Application Permissions

  • Ensure third-party integrated applications are not allowed (User Settings > No App Registrations).
  • Ensure calendar details sharing with external users is disabled.
  • Ensure O365 ATP SafeLinks for Office Applications is Enabled.
  • Ensure Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams is Enabled (blocks malicious files).

Data Management

  • Ensure the customer lockbox feature is enabled.
  • Ensure SharePoint Online data classification policies are set up and used.
  • Ensure external domains are not allowed in Skype or Teams.
  • Ensure DLP policies are enabled.
  • Ensure that external users cannot share files, folders, and sites they do not own.
  • Ensure external file sharing in Teams is enabled for only approved cloud storage services.

Email security/Exchange Online

  • Ensure the Common Attachment Types Filter is enabled.
  • Ensure Exchange Online Spam Policies are set correctly.
  • Ensure mail transport rules do not forward email to external domains.
  • Ensure mail transport rules do not whitelist specific domains.
  • Ensure the Client Rules Forwarding Block is enabled.
  • Ensure the Advanced Threat Protection Safe Links policy is enabled.
  • Ensure the Advanced Threat Protection Safe Attachments policy is enabled.
  • Ensure basic authentication for Exchange Online is disabled.
  • Ensure that an anti-phishing policy has been created.
  • Ensure that DKIM is enabled for all Exchange Online Domains.
  • Ensure that SPF records are published for all Exchange Domains.
  • Ensure DMARC Records for all Exchange Online domains are published.
  • Ensure notifications for internal users sending malware is Enabled.

Auditing Policies

  • Ensure Microsoft 365 audit log search is Enabled.
  • Ensure mailbox auditing for all users is Enabled.
  • Ensure the Azure AD ‘Risky sign-ins’ report is reviewed at least weekly.
  • Ensure the Application Usage report is reviewed at least weekly.
  • Ensure the self-service password reset activity report is reviewed at least weekly.
  • Ensure user role group changes are reviewed at least weekly.
  • Ensure mail forwarding rules are reviewed at least weekly.
  • Ensure the Mailbox Access by Non-Owners Report is reviewed at least biweekly.
  • Ensure the Malware Detections report is reviewed at least weekly.
  • Ensure the Account Provisioning Activity report is reviewed at least weekly.
  • Ensure non-global administrator role group assignments are reviewed at least weekly.
  • Ensure the spoofed domains report is review weekly.
  • Ensure Microsoft 365 Cloud App Security is Enabled.
  • Ensure the report of users who have had their email privileges restricted due to spamming is reviewed.

Storage Policies

  • Ensure document sharing is being controlled by domains with whitelist or blacklist.
  • Ensure the expiration time for external sharing links is set.

Mobile Device Management

  • Ensure mobile device management polices are set to require advanced security configurations to protect from basic internet attacks.
  • Ensure that mobile device password reuse is prohibited.
  • Ensure that mobile devices are set to never expire passwords.
  • Ensure that users cannot connect from devices that are jail broken or rooted.
  • Ensure mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise.
  • Ensure that settings are enable to lock multiple devices after a period of inactivity to prevent unauthorized access.
  • Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data.
  • Ensure that mobile devices require complex passwords to prevent brute force attacks.
  • Ensure that devices connecting have AV and a local firewall enabled (Windows 10).
  • Ensure mobile device management policies are required for email profiles.
  • Ensure mobile devices require the use of a password.

Top 5 Things SEC Registered Firms Need to Do to Prepare for the New Cybersecurity Regulations in 206(4)-9 | MTradecraft

With the new cybersecurity compliance regulation 206(4)-9 soon to be in effect, SEC registered financial firms have a lot to consider when it comes to their cybersecurity protocols.

These new regulations require them to protect customer information and data from unauthorized access or use, as well as prevent any malicious attacks on their systems. As such, many steps must be taken for these firms to ensure they remain compliant with this new regulation.

To help SEC CCO’s comply with this rule, here are five key steps they (or their cyber designee) should take:

1) Create strong passwords – Companies should make sure all employee passwords meet the requirements outlined by regulatory bodies like NIST or ISO27001/2 standards for password length and complexity. Moreover, regular checks should also be conducted on employee passwords so that weak ones can be identified quickly and replaced before hackers can exploit them.

2) Implement user authentication – Organizations should ensure that all users are authenticated before granting them access to any sensitive data. Multi-factor authentication is the gold standard when it comes to user authentication and should be implemented whenever possible.

3) Regular patching and updating – Outdated software can be a major security weak point for any organization. Therefore, companies must make sure all their software is regularly being patched and updated with the latest security patches.

4) Monitor suspicious activity – Companies should always monitor for any suspicious user activity or log-ins from unfamiliar IP addresses. Any such activities should be investigated immediately to prevent potential breaches.

5) Perform regular penetration tests or vulnerability scans – Penetration testing helps organizations identify potential vulnerabilities in their systems and networks that could be exploited by malicious actors. It is important for SEC registered firms to regularly conduct such tests to stay one step ahead of any potential attackers.

By following these best practices, SEC-registered financial firms can ensure they are fully compliant with 206(4)-9, as well as any other applicable regulations. Doing so will help them protect their customer data and information from cyber threats and ensure the safety of their business.

SEC Proposed Cybersecurity Rules – What They Are and What Our Clients Should be Doing Now

What new cybersecurity regulations did 2022 bring for SEC registered RIAs?

2022 was a very busy year for cybersecurity with the SEC. The Securities and Exchange Commission (SEC) released a series of proposed regulations that would significantly increase SEC oversight of public companies’ cybersecurity-related matters. The new rules call for greater transparency in how organizations operate with regard to their cyber security policies and procedures, decision-making processes, as well as an oversight role from the Board regarding all aspects related to cyber security.

The SEC’s unveiling of these guidelines indicates the heightened importance it places on cybersecurity. In fact, no other federal agency has taken such a firm stance in requiring public corporations and their Boards to uphold certain standards related to cybersecurity. One significant requirement is that companies must have Board oversight when reviewing, assessing, and enacting policies/procedures regarding cybersecurity matters. Additionally, all organizations must divulge any ‘material’ cyber incidents as well as provide follow-up information about them in an ongoing manner. Further, organizations will be required to start actively testing for vulnerabilities on their networks.

The comment period for the proposed rules concluded on May 9, 2022 with a flurry of comments being submitted. Organizations and their respective boards should prepare now due to the potentially drastic changes that may come into play once they are settled upon.

Those changes are expected to take effect Q1 2023.

What crucial requirements must be met once the new regulations are officially adopted?

If the SEC adopts rules similar to their proposed form, the key obligations include:

  • The SEC demands that you report any and all material cybersecurity incidents within a period of 4 days.
  • Actively and Proactively performing vulnerability scans and penetration tests on your firm’s network
  • Report any incidents that, when combined with other events, become noteworthy “as a whole”; (whatever that means)
  • Periodically disclose updates on previous incidents in SEC reports;
  • Describe the company’s cybersecurity risk management system
  • Elucidate how the Board supervises and manages cyber risk for their organization.
  • Disclose the Board members’ knowledge of cyber security.

What modifications are being made to the current regulations?

Companies and their senior management will be held to a much higher standard. The new regulations dictate that businesses must form suitable cybersecurity procedures, tell shareholders about these practices in public filings, reveal how the leading team oversees such programs efficiently, and report any cyber incidents in a manner that distributes sufficient information to investors.

If you have heard me speak in the past, one topic I always touch on is just how nebulous the SEC’s cybersecurity regulations can be. Hopefully, with the new regulations, the rules will be set in stone and more transparent than ever before; though they might come with a few extra obligations. Unfortunately, existing guidelines have made it difficult for companies to comprehend cybersecurity standards properly – but these forthcoming requirements should help rectify that issue substantially.

The SEC has made it clear that they expect more detailed and comprehensive documentation of cybersecurity threats, as well as timely incident reports and proof of proactive vulnerability audits.

What should your firm be doing?

If you have never performed a cybersecurity audit, now is the time. You simply cannot put it off any longer without being in violation. The SEC assumes you are doing audits and I assure you your clients expect you to be doing cybersecurity audits. I expect that the SEC will use the new regulations to rack noncompliant firms over the coals to make an example.

Because of that, companies should take proactive steps to review and revise their cybersecurity and risk management documents as soon as possible, taking into account any changes in technology infrastructure, mergers or acquisitions that may have occurred recently, an update of the threat landscape, and any lessons gleaned from security incidents. While these systems can take a while to refresh, beginning this process and producing that documentation now will ensure better protection against future threats.

To meet all the new regulations about board oversight, boards need to be fully educated and trained on their responsibilities concerning cybersecurity and risk management. To ensure that your board can effectively fulfill these duties, determine whether full or partial board decision-making will take charge of this task. Furthermore, guarantee that everyone involved has been properly briefed so they understand company policies and procedures before approving them. If you don’t have expertise on your board, you will need to hire an expert, such as MTradecraft, to fill that spot.

All companies must have an incident response plan in place. However, with the new proposed rules coming into effect shortly, we recommend you review and refresh your existing plans to ensure they are up-to-date. Your designated incident response team should be familiar with this timeline to help decide when it is necessary to escalate any significant or material incidents requiring senior leadership or Board approval. Without a clear escalation policy in place for such cases, your business could face consequences if left unprepared.

According to the SEC, organizations have just four days to report any material incident. This reporting window is shorter than other single U.S. law or regulation! To ensure that your Board of Directors are knowledgeable on how best to respond in an emergency and take necessary actions, they must be educated on an organization’s incident response plan and then participate in simulated exercises such as a tabletop exercise.

Establish precisely what materiality means for your organization. Senior leadership and legal staff should make the final call on whether an incident is deemed to be of sufficient importance that it needs to be reported within four days. When developing both the incident response plan and normal operating environment, ensure you have procedures in place which allow for rapid escalation to senior management or the legal team who will ultimately decide if something is considered ‘material’.

The new regulations are not going to be easy.

They will significantly change your operations and drastically cut into the budget of many firms. Unfortunately, you no longer have an option. The SEC doesn’t care if you are Goldman Sachs or Jim Bob Jones, “Work-From-Home-Financial-Planner”; cybersecurity is a requirement for everyone.