OCIE 2020 Cyber Observations Amid COVID-19

April 06, 2020
  • Global Regulatory Team

The COVID-19 outbreak has had ramifications across all aspects of society globally. In asset management, never before has such a vast proportion of its workforce been forced to operate remotely from the confines of their own homes. This remarkable exodus from the office has spurred new remote communication technologies and work tools at an unprecedented rate – not to mention the shift occurred at a period of prolonged market volatility and general uncertainty. The downside, of course, is that this the exact type of environment where cyber criminals and scammers usually look to actively exploit weaknesses.  As such, it has never been more important for global asset managers to place cybersecurity at the very center of their operational resiliency plans. But what do fund managers, board of directors and other top asset management executives really need to know about cybersecurity? It's a common question and getting the answer right has never more relevant as we continue to live in a COVID-19 dominated world. 

Fortunately, the Securities and Exchange Commission's (SEC) Office of Compliance and Examinations (OCIE) has stepped forward by producing a handy guide, Cybersecurity and Resiliency Observations, that summarizes the best cybersecurity practices for asset managers. While much of the paper might be considered Cybersecurity 101, it provides a comprehensive overview for top executives who don't spend the majority of their time focused on the topic. Here is a brief summary of what to look for:

1. Governance and risk management. Because no organization, no matter how large, can afford to address each and every cyber risk out there, it's critical to develop a risk management strategy. Instead of just talking with top executives about cybersecurity as a nebulous problem, a risk assessment allows senior executives to know where their firm's cyber weakness are and how to mitigate them. It also allows the firm to quantify their investments in cybersecurity by showing how it reduces risk.

2. Access rights and controls. The risks associated with access remain a top priority for most financial firms. It means insuring that employees only have access to data they need access to in order to carry out their job functions and no more. Viewed another way, they shouldn't be able to conduct operations such as trading, for example, when they have an administrative function. If a low-level employee clicks on a link that is actually a spear fishing attack, a system that is centrally managed to ensure there are no gaps will limit the degree of compromise.

Another aspect of access concerns employees with so-called privileged access, who are able to make changes to systems and applications. A major new risk for firms is that a privileged access insider goes rogue or their credentials become compromised. The only way to detect such a compromise is to have active monitoring tools and technology in place that will send an immediate alert to the appropriate cybersecurity teams when such things as configuration changes are made. These monitoring tools and capabilities are exceptionally useful during this unprecedented BCP period where much of the workforce is working remotely. 

3. Data loss prevention. These measures are aimed at reducing the possibility of data being surreptitiously moved out of the firm. A major focus is patch management, meaning that as soon as operating system patches are released, organizations should have in place a fast-paced, well-defined plan to install them. The US Government Accountability Office said in a report on the infamous hack at Equifax, a credit monitoring firm, that one of the main vulnerabilities was that the company failed to install a necessary security patch.  Previously, organizations often times made the decision to delay important patches due to the fear of business impact.  However, in the current cybersecurity environment the risk of leaving an unpatched hole in your systems may greatly outweigh the risk of potential business impact from installing them incrementally. 

4. Mobile security. This is an area of increasing concern, especially when employees are working from home or other locations. There has been a sharp increase in malware aimed at mobile devices. Companies need to reinforce with their employees the importance of knowing what is allowed and what isn't permitted on mobile devices. For those firms that allow employees to use their own devices, companies need to utilize sandbox technology and virtual private networks,an encrypted channel that ties back to the organization's network.

5. Incident response and resiliency. Companies need to have a plan in place for a cybersecurity breach, they then need to test the plan in real time to simulate core systems and applications going offline, and they need to develop after-action reports about the tests that provide a roadmap for remediate the problems found in the tests. One aspect — often the most important — is to make sure that there is a communications plan in place so that the appropriate people who know what to do will be contacted immediately. Core applications should be directly linked to your risk management program, and applications ranked by their risk. Another key aspect is to make sure there are redundant backups of data that are kept in places disconnected from your primary systems.

6. Vendor management. Third-party assessment is a major concern for cybersecurity specialists. The old adage that you are only as strong as your weakest link applies here. While the SEC requires that firms only require vendors to fill out a questionnaire, this is not really sufficient. Firms need to conduct a business technology review on vendors, making sure that they maintain the same level of security control maturity as your firm does. It often helps to connect vendor management with your firm's Enterprise Risk Management department to take a risk based approach to vendor management, and not purely a compliance perspective.

7. Training and awareness. This is often overlooked, but training is by far the lowest cost item in a company's cybersecurity arsenal. Yet, it delivers the biggest bang for the buck in reducing breaches.  This is especially true throughout this BCP environment where employees may react more emotionally to compelling emails that purport to contain important information relative to COVD-19 or your organizations new policies relative to working from home. Training is not just about spending time on a computer training course, but actually having cybersecurity personnel sit down with employees face-to-face and explain vulnerabilities and the dangers of letting down your guard both at home, and in the workplace.  Curated training for different levels of the organization can ensure relevancy of the information passed.

Bottom line

The evolving COVID-19 crisis poses a profound set of challenges for all regulated financial service providers, high amongst the considerations (especially with a majority of staff working remotely) is cyber security. The mix of high levels of market volatility, reconfigured working arrangements, and heightened threat levels mean asset management must prioritize protection of their cyber perimeter with the OCIE advisory useful in framing approach. As uncertainty abounds, what is clear is that the effects of COVID-19 will continue to shape the asset management industry for the foreseeable future. We will continue to provide updates here as new developments emerge.

This article was contributed by Ben Dulieu, Vice President, Enterprise Risk Management -- Cyber and Technology.

Brown Brothers Harriman & Co. (“BBH”) may be used as a generic term to reference the company as a whole and/or its various subsidiaries generally. This material and any products or services may be issued or provided in multiple jurisdictions by duly authorized and regulated subsidiaries.This material is for general information and reference purposes only and does not constitute legal, tax or investment advice and is not intended as an offer to sell, or a solicitation to buy securities, services or investment products. Any reference to tax matters is not intended to be used, and may not be used, for purposes of avoiding penalties under the U.S. Internal Revenue Code, or other applicable tax regimes, or for promotion, marketing or recommendation to third parties. All information has been obtained from sources believed to be reliable, but accuracy is not guaranteed, and reliance should not be placed on the information presented. This material may not be reproduced, copied or transmitted, or any of the content disclosed to third parties, without the permission of BBH. All trademarks and service marks included are the property of BBH or their respective owners.© Brown Brothers Harriman & Co. 2020. All rights reserved.

This browser is not fully supported by our public website and may not display or function as expected for this reason. Please note, the Infuse Portal and BBH client applications fully support the IE 11 browser.

Important Information for Non-U.S. Residents

You are required to read the following important information, which, in conjunction with the Terms and Conditions, governs your use of this website. Your use of this website and its contents constitute your acceptance of this information and those Terms and Conditions. If you do not agree with this information and the Terms and Conditions, you should immediately cease use of this website. The contents of this website have not been prepared for the benefit of investors outside of the United States. This website is not intended as a solicitation of the purchase or sale of any security or other financial instrument or any investment management services for any investor who resides in a jurisdiction other than the United States1. As a general matter, Brown Brothers Harriman & Co. and its subsidiaries (“BBH”) is not licensed or registered to solicit prospective investors and offer investment advisory services in jurisdictions outside of the United States. The information on this website is not intended to be distributed to, directed at or used by any person or entity in any jurisdiction or country where such distribution or use would be contrary to law or regulation. Persons in respect of whom such prohibitions apply must not access the website.  Under certain circumstances, BBH may provide services to investors located outside of the United States in accordance with applicable law. The conditions under which such services may be provided will be analyzed on a case-by-case basis by BBH. BBH will only accept investors from such jurisdictions or countries where it has made a determination that such an arrangement or relationship is permissible under the laws of that jurisdiction or country. The existence of this website is not intended to be a substitute for the type of analysis described above and is not intended as a solicitation of or recommendation to any prospective investor, including those located outside of the United States. Certain BBH products or services may not be available in certain jurisdictions. By choosing to access this website from any location other than the United States, you accept full responsibility for compliance with all local laws. The website contains content that has been obtained from sources that BBH believes to be reliable as of the date presented; however, BBH cannot guarantee the accuracy of such content, assure its completeness, or warrant that such information will not be changed. The content contained herein is current as of the date of issuance and is subject to change without notice. The website’s content does not constitute investment advice and should not be used as the basis for any investment decision. There is no guarantee that any investment objectives, expectations, targets described in this website or the  performance or profitability of any investment will be achieved. You understand that investing in securities and other financial instruments involves risks that may affect the value of the securities and may result in losses, including the potential loss of the principal invested, and you assume and are able to bear all such risks.  In no event shall BBH or any other affiliated party be liable for any direct, incidental, special, consequential, indirect, lost profits, loss of business or data, or punitive damages arising out of your use of this website. By clicking accept, you confirm that you accept  to the above Important Information along with Terms and Conditions.

1BBH sponsors UCITS Funds registered in Luxembourg, in certain jurisdictions. For information on those funds, please see bbhluxembourgfunds.com

captcha image

Type in the word seen on the picture

I am a current investor in another jurisdiction