Cybersecurity Awareness Month

October is Cybersecurity Awareness Month! Are you cyber-prepared and aware of cybersecurity threats lurking in the financial industry? This article provides actionable tips and tricks to help you maintain a robust cybersecurity posture, including when working remotely. PINE also offers some compliance insights on the advantages of engaging an IT managed service provider and the importance of incorporating them into your firm’s critical service provider oversight processes.?

Cybersecurity in the Investment Space?

Investment firms manage vast amounts of personal and sensitive financial information, making them prime targets for criminals. With the increasing sophistication of cyberattacks and the impact such attacks can have in the investment industry, the SEC continues to prioritize ensuring firms have adequate cybersecurity measures in place to safeguard information stored on an investment firm’s systems. Developing comprehensive policies and procedures that address information protection, along with ensuring employees understand and adhere to the cybersecurity policies and practices your firm has implemented, are essential components of an effective cybersecurity program. ?

When it comes to cybersecurity, each employee plays a critical role in protecting the information at their organization. Safeguarding data is a team effort, and it is critical for each employee to understand their role in securing data they may possess. Confirming that you are informed on your firm’s information security policies and know how to escalate incidents before they become major incidents is imperative while working in the investment industry. ?

?

Simple Cybersecurity Steps You Can Take TODAY!?

Oftentimes, we overlook these simple, yet critical steps for staying safe online. Taking the below steps can ensure you are putting your best foot forward in the online world:?

1. Use Strong and Different Passwords: Using the same password for all your logins has the potential for information across different platforms to become easily compromised if your single password is stolen. Using a password manager is a great tool to assist with storing and safeguarding multiple robust passwords, and regularly interchanging your passwords with different logins can prevent unauthorized use of one of your passwords from leading to a larger data compromise.?

1. Use Multi-Factor Authentication (MFA) When Possible: Adding a second layer of identity verification before access to sensitive information is granted provides another layer of defense against information compromise. ?

1. Recognize and Report Phishing: Social Engineering, including phishing, is a common way information becomes compromised in the financial industry. Oftentimes, criminals will attempt to use fake communications with the goal of luring you to act upon an urgent matter that involves disclosing sensitive information. This can include examples such as unanticipated requests for changes in wire instructions, disclosing banking details, requesting passwords via email, and other unusual requests. Criminals can also use?phishing communications to trick you into clicking on malicious links or downloading malware onto your hardware device. Ensuring you are reviewing emails with skepticism to determine validity before acting is a critical action to prevent information incidents from occurring. Reporting suspected phishing emails is also a step you can take to prevent malicious activity from spreading within your firm’s IT infrastructure.?

1. Update Software Regularly. Keeping your systems and anti-virus software up-to-date fixes issues and improves security for your devices. Criminals often look for gaps in system security – regularly updating your software ensures these gaps are addressed before criminals can exploit them.??

?

Working Remotely Tips?

Working remotely poses its own set of challenges and cyber-related risks. Ensuring you take appropriate steps to mitigate risks when working outside the office is an important feature in the post-COVID-19 world. Making your home workspace an extension of your office workspace in terms of cybersecurity measures helps prevent data from being compromised when you are outside the office. Below are recommendations for keeping your remote working space secure:?

1. Lock Up and Shred Sensitive Documents. USB drives, papers, and notes may contain confidential data. Safely storing these physical items in a locked area when not in use can help prevent potential intruders from compromising sensitive data contained on these items. Additionally, shredding documents when you intend to discard the papers helps prevent sensitive data from being dug up in the trash can later by would-be criminals.??

1. Lock Device Screens When You Walk Away. Whenever you leave your work devices unattended, you should lock your device screen before information can again be accessed. When working outside the office, you never know who may be trying to gain access to your devices; keeping your devices locked when not in use can prevent unauthorized sign-ins.?

1. Keep Your Software Up-to-Date. As mentioned, criminals are continuously evolving the ways they can breach your software safeguards. Security precautions need to be updated in response to gaps criminals may have identified. Regularly updating your software and systems is an important step to preventing criminals from exposing potential gaps in your IT system’s security.?

?

Managed IT Service Providers?

Engaging a managed IT service provider offers several key advantages for investment firms. IT service providers can provide specialized expertise in maintaining a firm’s IT infrastructure and can assist with ensuring optimal performance in your systems. Managed IT service providers can also provide competence in understanding the complexities of cybersecurity and mitigating ongoing and emerging cyber threats in the financial industry. Managed IT service providers often offer 24/7/365 support and monitoring, which ensures that any technical issues are addressed promptly and appropriately. Should a cybersecurity incident arise at a firm, a managed IT service provider can also provide immediate assistance in detecting and mitigating cyber incidents before they escalate. The 2023 proposed Cybersecurity Risk Management Rule for Investment Advisers, Registered Investment Companies, and Business Development Companies introduces regulatory notification requirements for significant cybersecurity incidents. A dedicated IT service provider can be a valuable asset in helping investment firms meet timely response and reporting obligations imposed under the proposed rulemaking. ?

Managed IT service providers can also play a key role in supporting an investment firm’s third-party oversight obligations, particularly in managing cybersecurity risks for service providers who exchange sensitive information with one another. Having technical expertise on information security, a managed IT service provider can assist investment firms in evaluating and ensuring the effectiveness of a service provider’s control environment, verifying that information is appropriately safeguarded by the service provider.?

?

Summary?

This Cybersecurity Awareness Month is a reminder that we all have a critical role in safeguarding information. Each person can take simple, yet important steps for ensuring the information in their possession remains secure. Information security is also an important aspect of compliance oversight that the SEC continues to emphasize as part of an investment firm’s regulatory obligations. PINE encourages those who are interested to reach out to us to learn more about cybersecurity measures you can take to maintain a robust and compliant information security program.?