Adapting to a changing threat landscape is an ever-present reality for every organization. With new, sophisticated risks emerging at an increasingly rapid rate, existing internal controls that companies have relied upon for years are quickly becoming obsolete. New amendments to Regulation S-P (Safeguard Procedures) provide updated rules for investment firms in how they codify cybersecurity in their policies and procedures — but these revisions alone are not enough.
Gaps in an investment firm’s internal controls environment can lead to costly security breaches, resulting in negative publicity, potential enforcement action, and the loss of investors or clients. To address the risk modern threats present, organizations must assess their approach in several key areas, including compliance, education, and controls.
Enhanced Regulations
When organizations are considering how they can comply with new requirements, understanding the ever-changing data and cybersecurity risk and regulatory landscape is crucial in building an effective internal control set to respond to identified threats. In May 2024, the SEC issued amendments to Regulation S-P in an effort to expand safeguards and bolster data disposal rules, enhance notification requirements to affected parties, require mandatory incident response protocols and notifications, and provide annual privacy notices.
Several of the underlying topics in the amendment state that registered investment advisors, broker-dealers (and other covered financial institutions) are required to “develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of sensitive customer information.”
Enhanced Threat Environment
Organizations must also understand the new and changing cybersecurity threat environment, including various attack vectors. Security breaches often occur through social engineering attacks, such as email spear phishing, which occurs when deceptive links or attachments target specific employees and tricks them into opening an access point, granting malicious actors unauthorized access to a company’s network.
Once a security breach occurs, malicious actors can gain access to and study a firm’s internal policies. In one example involving an investment firm, cybercriminals sent wire instructions to staff accountants through email by impersonating the firm’s CFO. Everything about the emails appeared to be genuine, so employees processed the instructions and made several transfers before anyone detected something was amiss. Since the dollar threshold of the wires did not meet the internal policy threshold for CFO approval, the existing procedure to detect fraudulent activity proved insufficient.
Spoofing, or impersonation, is another common social engineering technique and has become increasingly sophisticated by leveraging generative AI to create deepfakes that can deceive even security-conscious users. Deepfakes represent an emerging threat in which phone calls and video messages impersonate key stakeholders. The tools needed to execute such criminal acts are becoming increasingly accessible to bad actors, fueled by the powerful capability of generative AI. The necessary audio and video samples needed to replicate a person’s voice and face are easily obtainable by simply accessing an open-sourced webinar on a social platform and capturing as little as a minute of content. Criminals using this technique will often make unsolicited calls impersonating a key company officer’s voice, asking leading questions that prompt the respondent to reveal sensitive firm and client information.
Developing a Proactive Mindset
Developing strong internal policies and procedures is a fundamental first step toward enhancing data security and memorializing a response plan protocol to satisfy SEC requirements. There are several commonly implemented best practices that may be employed by investment firms aimed at comprehensively managing aspects of a data security ecosystem.
Security Protocols and Procedures:
Security protocols and procedures form the overarching controls architecture of an investment firm’s data security. Strict controls around sensitive data exposure should be embedded throughout an investment firm’s security protocols. There are several steps firms must account for when enacting these controls.
- Access to Schedule K-1 information, subscription agreements, and other related client information must be defined and stringently delegated based on necessity.
- Administrative delegation and authority should limit access to sensitive information to only those who require it, thereby reducing data exposure.
- Basic password protocols and multifactor authentication methods, such as the use of security tokens or biometric data, should be considered to bolster security.
- Email encryption software and protocols around document storage, including cloud-based platforms, should be implemented, particularly for organizations with a remote workforce.
- Guardrails must be established around the use of generative AI and other tools using large language models, specifying what information is permitted to be uploaded and how employees are permitted to interface with such platforms.
For investment firms, the main vulnerability of their control environment lies with funds movement and disbursement, especially wire transfers. If malicious actors gain email access and steal pertinent firm information, such as account numbers and funds transfer instructions, they can follow email chains and determine who is authorized to send and receive funds. From there, they can inject themselves into the chain to direct transfers. It’s for this reason that wires or funds transfers should never be sent over email unless an encrypted and secure protocol is used. While there are third-party providers who offer such services, and many investment services firms have enacted dual authentication when performing transfers, most now conduct transfers over the phone or video to avoid the risk of data compromise.
But even the reliability of voice and video calls can be compromised in the current threat environment. Cybercriminals are employing deepfake AI to mimic voices, images, and video, necessitating more detailed security measures. If there is uncertainty about whether or not a message is valid, simple steps like calling a person directly through a verified channel can help confirm whether the information is genuine. Firms have also begun to employ technology that provides multifactor authentication, drawing from video facial recognition and publicly available social profile information to validate the payer/payee.
Data monitoring should be a best practice of any financial services firm, including the periodic review of accounts and transfer activity to identify any unusual activity that may stem from an undetected security breach. Firms should also verify any changes to investor or limited partner personal information. Even subtle alterations, such as changes in limited partner domain password, should be verified immediately to avoid compromise. Domain monitoring is also important, and malicious actors will often make a slight alphabetical or numerical change to a firm’s domain in order to associate or link false accounts, making it easy to overlook the subtle but harmful variation.
Data Retention and Physical Infrastructure Protection:
Data retention is a topic often overlooked but critical in safeguarding a firm’s data security. With an increasing amount of information continuously uploaded to the cloud, firms should implement controls to determine what is essential and timely versus what information is stale and should be destroyed. Data retention protocols also extend beyond digital data to sensitive physical documents stored on premise, such as copies of subscription agreements, offering memorandums, and limited partnership agreements. Parameters around retention of such documents, their secure storage, and destruction should be part of every firm’s data retention protocol.
Similarly, organizations should have robust policies in place for firm equipment containing sensitive information. If a mobile device or laptop is lost, administrator or third-party IT professionals should have the ability to remotely wipe a device to limit exposure. Any out-of-the-box software packages and manual configurations to a firm’s network should be done by a professional IT engineer to avoid the emergence of gaps that may be vulnerable to penetration by malicious actors.
Counterparty Due Diligence:
Data security goes beyond a company’s internal data security environment, particularly since data is regularly passed on to and stored with fund administrators, prime brokers, banks, and other related service providers. While these counterparties should have their own controls in place, it is incumbent upon the investment firm to ensure their data is being handled and stored in a secure manner. To monitor external data security, investment firms can verify that service providers that they engage with perform annual third-party attestations. Specifically, a SOC 1 or SOC 2 report can provide a level of assurance around a counterparty's internal control environment related to internal control over financial reporting (SOC 1) or particular trust services criteria (SOC 2). The organization may engage in additional due diligence beyond a SOC report via periodic questionnaires or meetings with providers to better understand service providers’ internal controls and data security environments.
Additionally, while many investment firms employ the services of third-party IT security companies, reliance on these vendors should be viewed as a partnership in safeguarding sensitive data, not as the ultimate solution. Instead, firms must recognize and promote the mindset that every employee is on the frontline of cyberthreats, making it essential for organizations to proactively consider cybersecurity protocols that are rooted in established best practices to protect sensitive data and prevent security breaches.
Investment firms must also be aware that third-party IT environments, such as outsourced cloud-based applications, are also susceptible to the same types of risks internal environments are. Outsourcing a service does not outsource the risk, and it’s imperative that organizations consider what monitoring controls an outside provider is using.
Education, Testing and Culture:
Employee education is another essential line of defense against security threats. Given the increasing sophistication of cyberthreats, it’s important to provide at least annual training to firm employees on the latest emerging threats so they can recognize and be prepared to deal with them. For example, some aspects of training may include triggers for suspicious AI-generated calls and how to confirm the identity of the caller or how to ask appropriate leading questions.
Continuous, simulated penetration testing through third-party professionals is another critical tool in maintaining awareness about current threats. Penetration testing provides an opportunity to test controls in a simulated cyberattack, offering insight into where firms may need to make adjustments. In the event of a data breach or loss of firm equipment containing sensitive information, every employee should know the proper firm procedures to report incidents in real time.
In conjunction with employee education, firms should foster an environment of transparency and openness. If an employee does not feel comfortable reporting an error they made by clicking on an attachment from a suspicious source, they may not feel emboldened to immediately report the incident to firm leadership. A punitive internal culture can create an atmosphere of fear and result in significant delays in resolving a breach, which could magnify the extent of the damage.
Effectively responding to cyberthreats is the responsibility of every professional within the organization. While strong policies and procedures satisfy regulatory requirements and can serve as a starting point to data security, investment firms should establish strong protocols and procedures considering access, data retention, third-party due diligence and appropriate education and training to promote a more proactive mindset toward cyberthreats.
Learn how BDO’s experienced, knowledgeable team can help your organization assess and enhance its controls environment.