Cybersecurity: Mitigating Vendor and Change Management Risks

Cyber criminals have been active and the costs of compliance or, worse, a security breach, continue to rise. Join our experts Tim Buckler, Ed Wegener and Buddy Doyle as they discuss ways your firm can mitigate cyber threats arising from your vendors and when you are changing technology platforms.

Transcript

Speaker 1: 0:09

Welcome to the oyster stew podcast, where we discuss what’s happening in the industry. Based on what we see as we work with regulators and clients, oyster consultants, our industry practitioners, we aren’t career consultants. We’ve done your job and we know the issues you face. You can learn more about oyster consulting and the value we can add to your firm by going to our website, oyster llc.com,

Speaker 2: 0:43

Everybody I’m buddy Doyle, chief executive officer of oyster consulting. And I’m joined again by Tim buckler and ed Waggoner . And a second part to our series where we’re talking about cyber security .

Speaker 3: 0:56

The last piece of data loss prevention I wanted to discuss today was around vendors. It’s very important that you make an assessment of the risk of the vendor. And it’s important to make sure that when you do this risk assessment, you’re not just making an assessment of the vendor, but also the data that you’re sharing with that vendor, you should understand how sensitive that data is and the critical nature of that data to make sure that you have the right review process, to make sure that that vendor’s risk appetite is appropriate for the data you’re sharing with them. And those risk assessments should be done not only when you onboard the vendor, but also periodically to make sure that nothing has changed. If you do a business change, you also need to reassess your vendors in case your threat level has changed as a consequence.

Speaker 2: 1:45

And you should really think about not just looking at your vendor, but making sure that you understand their controls around their vendor . Fourth party risk is something that should be part of your cyber security program.

Speaker 3: 2:00

As I was going to add , GDPR has made that much easier to understand for our European friends, because GDPR requires not only the controller of the data to fill out any information, but also who they shared that data with on their client’s behalf also has to be shared. Companies in the EU have much stronger requirements about reporting where their data is. If I had to guess people are going to Mo more follow the CCPA model, which is more about selling data rather than protecting data and giving rights to data. Basically, if under CCPA, if you don’t sell data, there’s almost nothing in there. There’s like a single sentence that says, Hey, protect your data for a while. There

Speaker 2: 2:39

In GDPR, we were hearing people on both sides of the aisle, talking about us citizens being sort of second class citizens, because they can own their own information, but that’s sort of settled down now getting into some of the other things where risk really tends to occur is when Tammy brought this up earlier, when you’re changing your systems, whether that’s hardware or software, really that change process and controlling that can really help you manage that risk. And you want to have a pretty formal process and gotta have the right one for you. And depending on how long your change process occurs, we’ll help you understand how to construct that. But there are some common principles. I think that fall into place. One is making sure that that change is well-documented by a well-documented change. What’s the business looking for? How is the technology being changed and control? There’s two different views of that. And then how is that approved and verified and tested and authorized to move forward and communicated for that matter, we have seen clients that have an eight hour software development life cycle process, where they’re tuning algorithms or adjusting systems overnight to get ready for the next morning’s trading. And those can go very, very fast , uh , back office conversion and all the ancillary system integrations that go along with that can take many months to get through the key. I think with change management is having a framework and a good definition of how to approach it, but the flexibility to understand that not all changes is created equal. It’s a really important part though, to make sure there is a formal documented process that goes along with whatever changes that you’re making and that they are tested anything bigger than a breadbox at least. And you can take a risk-based approach to this is tested to the level that it needs to be to , to be sure that it worked as designed

Speaker 4: 5:08

And , and the testing doesn’t just end after, you know, once you’ve implement right at the time you’re implementing the, the change you going to want to, after that change has been implemented for a while, go back and test and make sure that over time that that change has, has gone the way that you wanted it to, and that , that you can identify any unintended issues that , that resulted over time.

Speaker 2: 5:32

And don’t forget to have a process for dealing with legacy data. If you’re replacing a server, how are you destroying the data that existed on that server? If you’re converting from one system to another and you have to keep your old system records for record retention requirements under rules and regulations, you probably need to consider how you’re going to incorporate that into your cyber security program going forward. Because just because you wrote that record four years ago on a, on a trade blotter on a different system, doesn’t mean it doesn’t still exist on that system. And if those controls stay the same criminals, keep getting more professional and they

Speaker 4: 6:26

Are getting better. But that’s one of the things that , um , regulators have also identified as key component to a cybersecurity program. And that’s having an incident response plan. The important thing there is to not wait until there’s a breach to start thinking about what should we do if there is a breach when you have a breach things move very quickly, and it’s not a good time to be considering what to do at that point. Some of the things that FINRA identified as being important components of an incident response plan are conducting threat assessments and having monitoring strategies, containment, and mitigation strategies, to make sure that you can limit the amount of damage that’s done. And again, that’s a matter of doing things quickly and making sure that things are contained and importantly, having a plan to contact and communicate with affected stakeholders that might be impacted by the breach and then having eradication and recovery plan so that you can get back to normal operating procedures. Again, this is something that are important steps to have, but things that you should be planning for, nobody wants to have a cyber security breach. But if you do, you want to be prepared for what you need to do. And part of that is going to be potentially reaching out in advance to parties like attorneys, insurance companies, and others technology, people that you might want to reach out to just so that you’re ready for the unfortunate circumstances that could come. If you do have a breach.

Speaker 2: 8:02

Yeah. There’s no better time to plan than in advance. And it, it really is having that , uh, incident response team already together and understanding the tactics and how you’re going to approach , uh , an incident is really important if you’ve ever had your kitchen catch on fire that freaks you out because you haven’t gone through it. You’re just going crazy. But when the fire department comes in, they’re not freaking out, they just walk in, they spray the fire down, they make a big mess and then they leave. And I think that in a cyber event can be a very scary time for organizations to go through it. And I would say, keep your head about you as much as you can have a tactical plan, not just the philosophical plan, but a tactical plan for the things that you’re going to do and the order that you’re going to do them. And to make sure that you understand the source of the threat, where that data realize is that data is in an environment that is segregated from all the other data that you have can really start focusing in on, on the real threats and then make sure that you really deal with it appropriately. So I always, you know , think of crisis management and the best crisis management that you see, you know, case still is probably the Tylenol case, right? Where the , the incident occurred. They ripped all of it off the shelf, whether they needed to or not, and replaced it and kept their clients understanding that they had integrity. You need to have a very good plan for not only dealing with the threat at hand, but dealing with the impacts of what took place and do it in a thoughtful manner, because there is no easier time to lose client confidence than Darren a breach. And there can also be a time to gain client confidence, Darren, a crisis. It’s one of those things where you want to have that laid out. You want to have good advice, good advice from technologist, good advice from counsel, good advice from business leaders and make sure that you deal with this in a holistic fashion. And the way you designed your control environment can help you design your incident response.

Speaker 3: 10:48

That’s right. And one thing I’d like to add is getting cyber security. Insurance is one of the great ways you can take yourself because if you get ransomwared your cyber security insurance may cover this everywhere. And so you don’t have to worry about is this going to cost my firm 10, 20, $30,000 a million dollars, whatever it is because you know, the insurance company is going to have your back. They also make a great resource for someone to reach out to at the time of the incident, because they have teams dedicated to supporting firms when they go through that

Speaker 2: 11:22

And make sure again, when you get your cybersecurity insurance, if you get cyber security insurance, and I would encourage you to look into that, that one, you look at the kinds of records you have and sort of some of the costs per incident type of averages, to help you decide how much insurance to get, but also make sure that you’re following your own procedures. So that should you make a claim you can collect on that claim it’s thing to have insurance, but if you’re not doing the things that the insurance company believes that you’re doing, because you told them you do, you may not quite have the outcome you were looking for. All right. So add , do you want to cover training? Like

Speaker 4: 12:10

Anything with respect to a strong compliance and controls program training is a critical part of that with cybersecurity, especially. Um , I , and that’s especially the case as buddy and Tim both talked about. Yeah . There’s a significant amount of exposure that you have from people inside your organization. And you want to make sure that you use appropriate training to make sure you’re mitigating that risk. The training, an effective training program should be tailored based on the particular role of the person being trained. If it’s a frontline employee focusing on the practical steps that they can take to protect information from their perspective, explaining the costs of a cybersecurity incident is helpful because it kind of puts that in perspective for the employees that taking the steps really matters for them, that there’s a cost to them. If there’s a cyber breach. So talking about the reputational damage to the firm , uh , the potential loss for revenue and the potential loss for jobs, depending on the severity of the incident employee should come away from the training programs with a good awareness of the firm’s policies and what is expected of them. Things like appropriate use of hardware and software, unauthorized software, data storage types that are prohibited. Things like thumb drives and CDs. If you prohibit those unauthorized use of particular hardware appropriate and inappropriate use of the internet, making sure that they understand some of the common threats, like we discussed things like social engineering and phishing, and making sure that they understand that the controls and practices that the firm has in place and that they should be taking things like we talked about before password protection, updating antivirus, software patch management, all of that should be incorporated in a firm’s training program. And the training should be done regularly at a minimum annually, but probably more often than that, just to make sure that employees really understand what’s expected of them, that they come away with practical things that they can do to help protect information so that you can help mitigate the risks that comes from your employees from those insiders.

Speaker 2: 14:30

And I would say, don’t forget, you’re trying to change behavior with your training, right? So there’s an awareness component to training of the kinds of threats and the things to look for. But you also want to make sure that you’re driving that behavior. In my opinion, that you have an environment where if somebody thinks they might have something going on, they escalate it. And that escalation process is really important. And one of the ways I’ve found to , to help drive behavior is storytelling Darren training, to try to make it as relatable to the audience that you’re talking with, whether that’s social engineering with, we have some clients that are very philanthropic. They do a lot of community work and a lot of service. And if you’re talking about social engineering, one of the effective ways to help them through that is to talk about a scenario where the , the organization would call, call up and say, Hey, you know, we really appreciate your contributions. And those things are often public and out in the press. We really appreciate your contributions. We’d like you to fill out some profile information. So we can highlight you in an upcoming piece of marketing, I’m going to send you a link. And that feels so real. Next thing you know, they kinda got you or talk about scenarios where employees have had a piece of equipment stolen and what led to that and how they responded and what happened next. And those kinds of things can really drive people to, to make different decisions and add, I agree with frequency with which you communicate this, even if it’s little 32nd, one minute conversations in routine meetings about , uh , a tip or something that you’ve seen in addition to that annual web-based training or whatever that they get, that that might feel a little white paper. She, even to them, the more you can do to communicate that the more likely you are to keep your data secure, or when something happens, be able to respond really quickly.

Speaker 3: 17:02

And the one thing I want to add is that recording your training so that employees can go back at a later time to refresh themselves on your policies or the best approaches is it’s a great idea. And also you should point them in the right direction of your policies and procedures in that training. You can’t cover everything. So you should also say, please review these materials and tell them where they are and not just your internal materials. You should also have information about things in general, so they can just become more well versed in how the threat environment looks today, how they can protect themselves at work and at home, just create a better environment for them to think more about cyber security than just don’t click on a link. It should be is to be a much more personal than that.

Speaker 2: 17:49

I think that you got to keep in mind that when a cyber criminal sends a link, if you don’t click on it, no big deal. If they call you and you don’t respond to a fishing exercise, or they ask you for information, no big deal, but you have to be right each and every time they can be wrong over and over and over, it costs them hardly anything in terms of time and money. But when you’re wrong, it can cost you a lot of time and money. All right. Thanks everybody. Hope you have a great

Speaker 1: 18:35

Thanks for listening. And if you like what you heard, make sure to follow the oyster stew podcast on whatever platform you listen to. If you’d like to learn how we can help firms start, run, protect, and grow their business, visit our website@oysterllc.com.

About The Authors

As CEO of Oyster Consulting, Buddy Doyle has led the charge to create a successful organization built on the belief that transforming experienced industry practitioners into consultants adds more value to our clients.

Ed Wegener is an innovative compliance, risk management and supervisory controls expert with deep understanding of Federal Securities Laws and the rules of self-regulatory organizations, as well as technology optimization and risk mitigation. Prior to joining Oyster, Ed held several posts in FINRA, most recently as  Senior VP and Midwest Regional Director.

Tim Buckler has spent 10 years in the financial services industry, with a focus on project management, cybersecurity, data analysis, and compliance. Tim’s experience includes project management support for clearing platform conversions, cybersecurity assessments, GDPR and CCPA assessments, performing 12b-1 Mutual Fund fees analysis for regulatory initiatives, and ownership changes for custodial IRA held annuities.

eBook

Whether you are looking to change from self-clearing to fully-disclosed (or vice-versa), exploring your clearing options or starting a broker-dealer, Oyster can assist with the assessment, analysis, vendor selection and conversion processes.

Download