Blog | Aug 04, 2020

No New News To Tell

On April 1st, 2014 I found myself with eSentire’s (then) CEO J. Paul Haynes in the Securities and Exchange Commission (SEC) building in Washington, D.C., to meet with Ms. Jane Jarcho, who was soon to be made the Deputy Director of the Office of Compliance Inspections and Examinations (OCIE).

With well over a decade of existing experience with hands-on information security, defending mid-sized financial institutions (including registered investment advisors, hedge funds, alternative asset management firms, and investment banks), she was interested in hearing our experiences.

At the end of our discussion, we asked about a document that came into our possession from one of our customers: an information request that seemed to have come from the OCIE but wasn’t yet public. As I recall, she was surprised it had been made public. This information request, which came to be informally called the “SEC Cybersecurity 28 Questions” was an excellent broad overview of information security stance; it was extremely thorough and topical.

On April 15th, 2014 it was formally released to the public. I believe it was the first time questions to an SEC-OCIE information request had been made public. It was a bombshell to the CTOs in mid-market financial sectors, being the first time that the SEC had directly asked questions regarding cybersecurity.

The Risk Alert itself:

The OCIE Cybersecurity Initiative focused on the following categories:

1) Cybersecurity Governance/Identification of Risk

2) Risks Associated with Remote Customer Access and Funds Transfer Requests

3) Risks Associated with Vendors and Other Third Parties

4) Detection of Unauthorized Activities

5) Incident Response

Based on the responses given, the SEC-OCIE were able to tighten up their audit methodologies and questions. To prepare firms for the new focus on cybersecurity, in September 2015, the SEC-OCIE issued the details for their Cybersecurity Examination Initiative. They focused on the following categories:

1) Governance and Risk Assessment

2) Access Rights and Controls

3) Data Loss Prevention

4) Vendor Management

5) Training

6) Incident Response

These cardinal categories are excellent pillars upon which to build your firm’s cybersecurity foundation. Unfortunately, I felt that it didn’t have the same impact as the risk alert in 2014 because it wasn’t released in the form of audit questions; the details were buried in dense text within the appendix. If you’d taken the time to read through the appendix you could convert the specific bullet points listed, turn them into personal questions and then discover 36 audit questions the SEC auditors would ultimately use. In fact, I did this.

In August 2017, the SEC-OCIE issued a summary of Examination Observations to highlight their best practice suggestions for market participants. They focused on the following categories:

1) Cybersecurity/Risk Assessment

2) Access Rights and Controls

3) Data Loss Prevention

4) Vendor Management

5) Training

6) Incident Response

Do you see a theme developing?

Most recently, in January 2020, the SEC-OCIE released another summary of Examination Observations and focused on the following categories:

1) Cybersecurity Governance/Risk Management

2) Access Rights and Controls

3) Data Loss Prevention

4) Mobile Security

5) Incident Response and Resiliency

6) Vendor Management

7) Training and Awareness

You may notice that there is considerable overlap between the six categories of focus between September 2015 through to August 2017 and to January 2020. In fact the one major difference is the request that mobile devices require further visibility, however if you’re properly working on the six main pillars from August 2017, there’s no need to extend focus to Mobile Security: it’s already covered. A difference can also be seen in the format in which the most recent Examination Observations was released: it is considerably easier to digest.

A recent Ransomware Risk Alert further emphasizes the need to pay attention and adherence to the six infosecurity pillars. They place specific focus on:

1) Incident response and resiliency policies, procedures, and plans

2) Operational resiliency

3) Awareness and training programs

4) Vulnerability scanning and patch management

5) Access management

6) Perimeter security

I’m pleased to see them address somewhat deeper technical aspects that they have not done previously. For example, the common use of RDP for remote access, which in many cases is a dangerous access vector than in the past. However, they neglected to describe specific changes in ransomware attack methodologies (incorporating aspects of advanced persistent threat actors, to quietly embed themselves for weeks within an organization before initiating an en masse encryption event across all systems simultaneously, usually at the beginning of a weekend).

Nevertheless, it’s valuable that the SEC-OCIE continues to emphasize how critical cybersecurity continues to be, even though there’s truly no new news to tell.

Eldon Sprickerhoff

Eldon Sprickerhoff

Founder and Chief Innovation Officer

In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.