Protect Your Data From Cyber Threats.

Are you violating The SEC’s Recently Proposed Anti-Fraud Rule?

Disruptions to your business come in a range of shapes and sizes. Whether it’s an unprecedented onsite emergency or an unusually delayed response from a key vendor or business contact, both can throw off your business’ continuity.

Without thorough and effective business continuity planning, a disruption of any size can affect your business’ productivity, bottom line, and customer satisfaction- but that’s not all.

In a recently proposed rule by the Securities and Exchange Commission (SEC), the SEC indicated that because of the fiduciary duty an adviser owes to its advisory clients to protect its clients’ interests:

“it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken steps to protect clients’ interests from being placed at risk as a result of the adviser’s inability (whether temporary or permanent) to provide those services.”

Under the proposed rule, you’ll be required to:

• Establish strong operational policies and procedures that manage the risks associated with business continuity and transitions
• Implement policies and procedures that increase the likelihood that your business is as prepared as possible to continue operations during times of stress
• Take steps to minimize risks that could lead to disruptions in your operations
• Implement policies and procedures that increase the likelihood that your clients will not be harmed in the event of a significant disruption in their adviser’s operations

In fact, the proposed rule would prohibit a registered investment adviser from providing investment advice unless it had adopted and implemented a written business continuity plan and transition plan and such plan is reviewed at least annually by the adviser. According to the SEC, if “an adviser is unable to provide advisory services after, for example,…a cyber-attack…its temporary inability to continue operations may put clients’ interest at risk and prevent it from meeting its fiduciary duty to clients.”

“On the basis of these statements by the SEC, every BCP should include cybersecurity measures” – Kevin Scanlan

So now not only will business disruptions hurt your bottom line and your client relationships, but they could also result in consequences for SEC violations. That’s why robust Business Continuity Planning is more important than ever.

Allow Brainlink to help.

Our business continuity service features a range of necessary solutions, all for one low fixed monthly price per protected server. Key features of this service include:

• Complete end-to-end management of backups and recovery with or partners Datto
• Service by professionals who work with and understand businesses like yours
• Fully-managed & monitored service
• Cloud replication
• Off-site virtualization
• Annual review of business continuity planning documentation and updates to your account for business changes

For expert consultation on SEC rules, and robust Business Continuity Planning support, reach out to Brainlink at (917) 685-7731 or raj@brainlink.com right away.

Top Techniques to Secure Firm-Wide Buy-In for Cyber Security & Compliance

David Edwards, President, Heron Wealth started the discussion by sharing his journey. David started his career in systems at Morgan Stanley, so he knew how to use and manage IT well. Two years ago, he realized that he could no longer manage the IT and compliance issues for his firm by himself, so he engaged Raj Goel and Brainlink International to manage the onsite IT and improve cybersecurity at Heron. He also engaged Craig Watanabe, Senior Compliance Consultant, Core Compliance & Legal Services to implement training for Heron staff.

Over the past 24 months, Heron has had:

• Clients’ emails taken over. In several incidents, Heron’s staff have called their clients to notify them that the client email has been compromised and Heron is receiving suspicious emails. In one incident, they discovered that criminals had infiltrated the clients’ systems for weeks, had studied the client’s buying behavior and sent a fraudulent request to release $27,000 to purchase a horse. The client had a history of buying horses, so this was not an unusual request; what was unusual was the country that the request for funds came from.
• Heron routinely gets well-crafted phishing emails – and when they get really good ones, David encourages his staff to SHARE the phishing emails with the team. They use these emails as a training tool to teach their staff to be aware.
• Heron is constantly on guard to protect their clients from social engineering attacks and elder abuse. As David emphasized, there’s no such thing as 100% cybersecurity. 99% is good enough when your peer firms are at 60%. The bad guys go after low-hanging fruit – and David advises that your mission is to not be in that category.

He reminded the audience about the story of two hikers encountering a bear in the forest. “You don’t have to outrun the bear to survive – you just have to outrun the other hiker!”

Per David, the key risks that firms need to worry about are:

• Clients (the weakest link)
• Team members (the second weakest link)
• Password “hygiene”
• Lost devices
• Compromised technology infrastructure
• Vendors
• Complacency (Convenience trumps security)
• Non-compliance with SEC Red S-ID
• And email !

6-Month Cybersecurity Action Plan (developed by Raj Goel/Brainlink for Heron Wealth)

1. Establish 2-person review and release of all outbound cash and securities
2. Inventory all applications and devices that hold firm or client data
3. Categorize (from critical to no-risk) and establish password change schedules for all desktops, devices, and applications
4. Encrypt 100% of outbound e-mail using Transport Layer Security (TLS)
5. Add Cybersecurity rider to E&O Insurance
6. Apply two-factor authentication to critical applications
7. Swap out consumer grade router with enterprise grade router and firewall
8. Ensure the Wi-Fi router (provided to team & clients as a courtesy) is isolated from local PC’s & remote server
9. Replace consumer-grade anti-virus with enterprise-grade alternative
10. Review security protocols of remote IT server provider
11. Review the firm’s compliance with applicable Federal, State, European laws
12. Train and educate team members
13. Educate clients!

By working with Brainlink and implementing a multi-layer defense for his firm, David has established Heron Wealth as a leader in cybersecurity and is routinely featured in financial planning and wealth advisor magazines as well as conferences as a proactive thought leader.

Craig Watanabe focused on the HUMAN ELEMENT of cybersecurity.

User training is critical.

He recommends IN-person training – 1-hour training at the start of the year, then short monthly reminders.

The entire panel agreed that using web-based training or CBT systems is a waste of time.

Craig told the story of a friend who used to work at Sony Pictures. Sony’s cybersecurity training consisted of having people watch online videos/courses, then answer a few multiple questions. Most people started the training, let it play in the background while they did “real” work and then guessed at the answers.

THIS IS NOT EFFECTIVE TRAINING – this is a waste of time & money.

He strongly emphasized that focused, short, in-person training delivers higher ROI than other methods.

Craig also emphasized this his firm trains employees not only in securing corporate IT systems, but also in protecting their home equipment. Raj jumped in with Brainlink’s approach, which focuses on 360-degree threat analysis and training. It does a firm no good to train staff at work, and send them home to defenseless, infected systems. Both Raj & Craig strongly recommend training staff to implement strong cybersecurity at home as well as the office.

 Two Factor Authentication

All three panelists agreed that passwords are your weakest link. Using simple or weak passwords is poor security practice.

All three panelists urged the audience to adopt two-factor authentication.

Brainlink uses (and recommends):

• LastPass Enterprise for secure password sharing
• DUO for two-factor windows logins
• Yubikey’s for 2FA hardware tokens to secure Gmail, YouTube, LastPass, duo, etc.

The INCIDENT RESPONSE panel had some good advice as well:

If you host on AWS, read AMAZON SOC2 report, make notes & comments in the margins. Put marked up the document in your vendor file. Review contracts. For one RIA, their administrators didn’t perform a critical function for 3 months and didn’t notify the client. Administrator thought it was amusing, RIA saw it as firm-ending.

Another firm went through the SEC exam – you’re not as good as your best exam or as bad as your worst exam.

Many vendor contracts limit liability to contract fees – that’s unacceptable.

Vendor due diligence visits – visit their HQ, not their sales offices. Do at least one onsite visit and then determine how often it’s appropriate.

Don’t count on your vendors to pay for the breach & screwups. Liability is your responsibility. Review your vendor’s SLA limits – how fast after an outage can they get you back in business?

Raj’s Top 7 Action Steps

1. Protect your Credit Cards and Bank Accounts
2. Secure your IT (Firewalls/AV/AntiSpyware)
3. Implement Policy (Password, Social, BYOD)
4. Have a TESTED Business Continuity Plan
5. Educate Your Team
6. Use Two-Factor Authentication
7. Insure Your Business

Brainlink clients enjoy success, security practices they can rely on and a competitive advantage in their industry because we know the cybersecurity industry better than most. Brainlink helps firms by:

• Providing independent third party IT security assessments
• Managing their IT infrastructure
• Developing or testing INCIDENCE RESPONSE plans
• Developing BYOD, Acceptable Use, Remote Access and other policies
• Conducting DISASTER RECOVERY tests
• Providing effective cybersecurity education awareness training

TRAINING RESOURCES TO SHARE WITH YOUR STAFF, INTERNS, SPOUSE & KIDS:

To that end, Raj recommends sharing the following slides & videos with your staff:

 Protecting Your Business & Your Family:

https://www.brainlink.com/wp-content/uploads/2016/04/2016-04-20-RajGoel_BOMANY_v1b.pdf

Lessons Learned From Hurricane Sandy

http://www.slideshare.net/rajjgoelny/20130923asis59rajgoellessonslearnedfromsandyv1d

Ransomware Warning Email

https://www.brainlink.com/when-your-computer-has-been-taken-hostage-what-to-do-about-ransomware/

Social Media Awareness Training

https://www.youtube.com/watch?v=HpOg1Sgmpok

NASCAR & Ransomware

https://www.linkedin.com/pulse/ransomware-just-put-nascar-team-blocks-could-attack-stall-raj-goel

To learn more, visit www.brainlink.com/IAWATCH/ right away. To talk to Raj, reach out at (917) 685-7731 or raj@brainlink.com

Written Information Security Plan (WISP) Service & Audits

Why you need to consider a WISP

The Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) has listed cybersecurity as a key focus area in its 2015 risk-based assessments.

The addition of cybersecurity as a 2015 OCIE priority comes on the heels of the April 2014 release of sample cybersecurity questions OCIE stated it may use in conducting examinations of registered entities regarding cybersecurity matters. On February 3, 2015, OCIE then released summary findings from its Cybersecurity Examination Sweep. Brainlink’s team is assisting clients in creating Written Information Security Policies (WISP) and conducting WISP Audits of existing policies.

Anyone or company that has access to client or employee information needs to ensure they implement the appropriate level of administrative and technical safeguards. Additionally, anyone or anything with access to your confidential information needs to have preventative measures in place for protecting confidential data.

What is a WISP

A Brainlink created Written Information Security Policy (WISP) details the policies and procedures for ensuring confidential data is protected, how it’s being protected and who is ensuring it’s protected.

It includes Administrative and Technical Safeguards. Administrative Safeguards:

•  Defines confidential data
• How confidential data is protected
• Where confidential data is located (i.e., shared drive, externally hosted, hard copy format, etc.)
• Who has access to confidential data and do they have a business need
• Roles and responsibilities for responding to a data breach or cyber security incident
• Internal and external communication procedures for responding to an incident
• Employee responsibilities and training Technical Safeguards:
• Assessment of technical safeguards (i.e., penetration testing, encryption, software patches, etc.)
• Evaluation of technical safeguards (i.e., Brainlink’s Security Benchmark Report)
• If needed, implementation of additional technical safeguards

Reach out to Brainlink at (917) 685-7731 or raj@brainlink.com today to schedule your security assessment.

What’s SEC OCIE Really Worried About?

As a member of the financial industry, you never stop worrying — even just a little — about the SEC Office of Compliance Inspections and Examinations (OCIE). Their cybersecurity exam sweeps are detailed, intensive, and constantly updating to keep up with changes in the industry.

The Comprehensive Strategy For Securing Employee’s Home Computer And Device Security

Given the ever-evolving range of cybercrime dangers that threaten your firm on a daily basis, it has quickly become evident that cybersecurity can’t be ignored.

Data Breach Incident Response Plan

This Data Breach Incident Response Plan provides the plans, procedures and guidance for the handling of data breach events at our office(s), or via any of our servers or mobile devices.

The plan encompasses procedures on incident response engagement and how the incident response team will communicate with the rest of the organization, with other organizations, with law enforcement and provides guidance on federal and local reporting notifications processes.

SEC Document Request List

SEC Document Request List

Testimonial From Goldhaber Research Associates, LLC

Small Firm CyberSecurity Checklist

FINRA Wants to Help You Keep Your Firm Secure

Financial Industry Regulatory Authority(FINRA) released a checklist last year — based on the national institute of standards and Technology’s (NIST) cybersecurity Framework, and the SRO’s Report on Cybersecurity practices– which is made up of five key questions to help your firm analyze its security:

Everything you need to know about the latest SEC OCIE Guidance Updates

The Security and Exchange Commission has released its first Investment Management Guidance Update in nearly two years, noting that “because funds are varied in their operations, they should tailor their compliance programs based on the nature and scope of their businesses”.

A key factor in the update is that specified registrants are now required to use independent contractors for certain types of cybersecurity testing, ensuring that the focus is kept on enterprise risk management and governance:

• Assessment, mitigation, and monitoring of security and technology risk
• Capital planning and investment with respect to security and technology
• Board of directors and management oversight of system safeguards
• Information technology audit and controls assessments
• Remediation of deficiencies

These proposed modifications are aimed at enhancing the ability of regulated entities to tailor cybersecurity programs and policies to counter their own particularized risks and threats, focusing on a number of areas including Written Policies, Employee Training, Board Involvement and more.

But, at the end of the day, you just want to know what this most recent update means for your wealth management firm. These are the questions you need to ask yourself:

Written Policies and Implementation

• Written Information Security Policy (WISP)
• Information Governance: Document Retention and Deletion Policies
• Asset Management: Data Mapping, Data Classification, and Data Loss Prevention
• Incident Response Plans (IRP) and escalation procedures
• Vendor and Third-Party Provider Cyber-Security Guidelines or Requirements

Division of responsibilities between IT and Compliance

• Do you have a CISO?
• Who conducts employee cyber-security training?
• Who reports on cybersecurity initiatives to Corporate Management and/or the Board?
• How Do IT and Compliance Work Together on cyber initiatives?
• What types of data are you concerned might be targeted and what
• are you currently doing to protect that data?

Board and C-Level Involvement

• Is cybersecurity being driven from the top down?
• Is it a Board/C-Suite priority?
• Does the CISO or CCO report on cybersecurity to the Board and C-Suite?
• How often do you present and/or involve the Board on cyber programs, training, policies, infrastructure and other initiatives?
• How prioritized are cyber-security initiatives? Where does it fall in the operating budget? What is your scope? 

Litigation Exposure

• Target breach – two shareholder derivative suits filed
• Wyndham breach – shareholder derivative suit
• Home Depot breach – shareholder derivative suit
• All of these actions have been dismissed; but what about the future?

Employee Training

• Who at your firm is responsible for training?
• Do you conduct training in-house or use a vendor?
• How frequent is training? Annually, monthly, is there follow-up in between?
• How do you track training and participation?
• How do you test effectiveness of the training?

What topics are you focusing on?

• Passwords
• Phishing
• Spearfishing
• Care with portable devices, such as mobile phones, laptops, USB
• Encryption

Not sure about how to answer these questions? Brainlink will help.

For more information about SEC OCIE Guidance and what the recent updates mean for your firm, reach out to Brainlink right away at (347) 460-2238 or raj@brainlink.com.

Brainlink’s Sophos Implementation at NYC Private Equity Firm Boosts Network Performance While Providing Unparalleled Analytics

Your Bespoke Technology Partner

Protecting Consumer Privacy: DO’s, DON’Ts & Lessons Learned from the FTC

Lessons Learned From Sandy

Raj Goel, CISSP
Chief Technology Officer, Brainlink International, Inc