Regulated investment firms use the web to gather market intelligence, to access data aggregation tools and business apps, and to communicate via webmail and social media.
While many (if not most) business functions have shifted to the web and cloud apps, including IT security, the primary tool used by research analysts and investment managers remains stuck in IT’s past: the locally installed browser. A holdover from the 1990s, the local browser’s inherent weaknesses make it notoriously difficult to manage, monitor, and secure against web-borne exploits.
This has created a growing compliance blindspot for buy-side and sell-side firms. At the same time, the pressure from federal and state regulators is steadily increasing. Registered investment advisers are one example. By subjecting 17% of firms to OCIE examinations in FY 2018, the SEC already exceeded its own ambitious goal (15%) in this group alone for this year.
Chief Compliance Officers, CISOs and CTOs in the industry have been put on notice. One simple page view request on an infected website can result in malware or spyware spreading through the firm’s network, resulting in data breaches and financial and reputational damages. One post on a social media platform or in a chat room may invite the scrutiny of regulators.
How can firms ensure oversight and governance when team members go online? In this post, we highlight surveys, reports and whitepapers that provide useful facts and actionable insights to help practitioners answer this question:
1) SEC Enforcement: More Pressure for Investment Firms
The Securities and Exchange Commission’s Enforcement Division has published the FY 2018 Annual Report of its ongoing efforts to protect investors and market integrity.
The report presents the activities of the division from both a qualitative and quantitative perspective. In FY 2018, the SEC continued to bring enforcement actions relating to a wide variety of market manipulations, misconduct and compliance violations. It obtained judgments and orders totaling more than $3.945 billion in disgorgement and penalties.
Policing “Cyber-Related” Misconduct
The report also documents the Division’s increasing focus on misconduct in the digital realm. In FY 2018, the SEC brought 20 standalone cases, including such involving ICOs and digital assets. At the end of the fiscal year, more than 225 cyber-related investigations were underway. 2018 saw the SEC’s first enforcement action charging violations of Regulation S-ID, known as the Identity Theft Red Flags Rule, which is designed to protect customers from the risk of identity theft.
While an agency-wide hiring freeze since late 2016 led to a 10% staff reduction since, this seems not to have resulted in less pressure on regulated securities investment firms. The Division's annual report documents significant continued enforcement-related activities.
From a compliance perspective, one item in the “Other Noteworthy [Enforcement] Actions” section of the report may deserve more attention than it received so far: it points to “13 registered investment advisers who repeatedly failed to provide required information that the agency uses to monitor risk.”
When regulators request such information from entities under investigation, disparate data sources and a lack of compliance-ready IT tools may prevent firms to “promptly produce” (SEC lingo) the data and documents. The use of local browsers, in particular, can become an audit impediment, because it prevents a unified view into a firm’s activities on the web, for example when team members post on social media or pull research data from third-party aggregators.
A compliance-ready browser built in the cloud, provided as a service offsite and centrally managed by IT, removes such hurdles. With Silo, the cloud browser, all user actions are logged and encrypted, to facilitate at-a-glance compliance reviews and post-issue remediation.
Read / download:
Division of Enforcement of the U.S. Securities and Exchange Commission: Annual Report 2018 [PDF]
2) Vigilant Regulators, Weak Policy Implementation
In November, international law firm Proskauer Rose LLP released its 2018 Proskauer Annual Review and 2019 Outlook for Hedge Funds, Private Equity Funds and Other Private Funds.
The yearly report provides a summary of significant regulatory changes and developments that occurred in the past year in the private equity and hedge funds space. It also includes an overview of SEC examination priorities and enforcement developments impacting the private funds industry.
“SEC’s Enforcement Program Remains Robust”
The SEC brought 821 enforcement actions in 2018, “the second highest total ever,” the authors point out. This included more than 100 enforcement actions involving advisers and investment companies, a 32% increase from 2017 and the second largest category of actions brought by the SEC in 2018.
Noteworthy in particular from the compliance and IT perspective is the extensive review in this report of a $1 million settlement with the SEC by broker-dealer and adviser Voya Financial Advisors (VFA). Following a data breach that compromised the personal information of 5,600 customers, the SEC had alleged failures in the firm’s cybersecurity policies and procedures.
The firm had over a dozen policies and procedures in place governing cybersecurity, the Proskauer report explains. It lays out in detail why “[t]he SEC found that these policies were not reasonably designed to apply to the systems that independent contractors used.”
Increased reliance on third-party vendors and external service providers and the adoption of web-based apps and services mean more complexity and less oversight for compliance and IT admins when employees and external contractors access the web on behalf of the firm.
Attempting to reverse this trend with an ever-increasing patchwork of security tools has not solved the problem. Instead, disparate point solutions increase complexity and risk even further. According to Cisco’s 2018 Annual Cybersecurity Report [PDF], nearly half of all IT security risks stem from having multiple security vendors and products. Compliance leaders and IT in regulated financial services organizations need a vantage point that ensures oversight and control when team members go online.
Read / download:
Proskauer Rose LLP: 2018 Proskauer Annual Review and 2019 Outlook for Hedge Funds, Private Equity Funds and Other Private Funds (11/2018)
3) Digital Disruption in Capital Markets
Global consulting firm Accenture has examined historical inefficiencies in the business model of the capital markets industry as it faces digital disruption. One of the results is the firm’s recent report Capital Markets Technology 2022, in which the authors highlight five technology design principles for investment banks and advisory firms.
"Agile and Resilient, Simple and Homogeneous"
Likely to resonate with compliance and IT leaders are Accenture’s design principles # 4 and # 5, which prescribe deploying technologies that are agile and resilient as well as simple and homogeneous.
As an example, the authors cite “emerging risks in the cyber realm,” which account for more of the chief risk officer’s time than ever before. “With the cost of a breach expected to increase 100 percent per year for each of the next four years,” the paper points out, “it’s not difficult to see why.” The Accenture team recommends “[r]emoving unnecessary complexity and friction across the organization, outsourcing and leveraging utilities where possible.”
The financial services sector’s shift to web apps, SaaS and cloud utilities is putting compliance officers and IT in a tough spot. They are tasked with preserving access while maintaining oversight and containing risk. According to Accenture’s Capital Markets Technology 2022 outlook, 9 out of 10 financial services compliance officers expect that compliance costs will further increase.
One contributing factor is the continued use of the locally installed browser as the primary tool to access and manage cloud-based apps and web services. Because the regular browser wasn’t designed with security and compliance in mind, it is notoriously difficult to control and monitor. Its architectural resistance to risk management is creating dangerous blind spots for the compliance team and IT. Deploying a cloud browser instead removes the local attack surface for web-borne exploits, reduces overall complexity, and provides unified, at-a-glance monitoring, logging and auditing capabilities for compliance leaders.
Read / download:
Accenture: Capital Markets Technology 2022 [PDF] (2018)
4) Global Private Equity Survey: Cybersecurity
22% of surveyed private equity (PE) firms have recently experienced a cybersecurity breach, according to the annual 2018 Global Private Equity Survey conducted by consulting firm EY. More than half (58%) of respondents said their reported incidents were considered serious. Many more may have gone unreported.
Infographic Source: EY
Most private equity firms (70%) covered rely on externally-developed threat intelligence tools. The survey’s findings also indicate that discomfort and insecurity remain about specific threats and compliance relevant risks that such tools may not detect or prevent.
This could explain why “Employee Training” (87%) was the most common response to the survey question “What steps are you taking to improve your firm’s cybersecurity?”
The EY report maintains that “[c]areless or unaware employees, social media and mobile computing use can create potential vulnerabilities.” While employee training is important, isn’t it time to focus on the root cause?
Security researchers agree that most data breaches are web-related. A secure cloud-based browser removes this attack surface from the local IT. All web code is rendered in a centrally managed isolated environment offsite, and only an interactive display of the web page reaches the endpoint over an alternate, non-HTTP protocol. No matter if employees click deceptive links or download infected files - any web-borne exploits are prevented from ever reaching the firm’s computers.
Read / download:
EY: 2018 Global Private Equity Survey [PDF]
5) Information Security Program Implementation for Investment Advisers
For investment adviser firms (IAs) in the process of devising their Information Security Program (ISP), consultancy Ascendant Compliance Management provides in-depth guidance. Based on a review of OCIE examination priorities, its manual Getting Your Information Security Program Up To Scratch recommends taking a step-by-step approach.
The paper, written by Ascendant’s Tom Hackett, includes a comprehensive overview of OCIE priorities and the policies and procedures required to protects the firm’s digital assets and meet the expectations of its examiners. It focuses on Governance and Risk Assessment, Access Rights and Controls, Data Loss Prevention, Vendor Management, Training, and Incident Response.
Compliance managers and IT admins will appreciate the hands-on approach of this guide, which translates regulatory priorities into actionable items for practitioners.
Read / download:
Ascendant: Getting Your Information Security Program Up To Scratch (2018)
Compliance and Control on the Web, for Your Firm:
Discover why leading investment firms and advisers are using Silo, the cloud browser. Find out how Silo helps minimize risk, maximize productivity and ensure oversight and governance when employees go online. Try Silo yourself: