March 2022 Cyber Recap

April 6, 2022

March 2022 Cyber RecapWHAT HAPPENED?Significant changes are on the horizon for cybersecurity requirements for investment advisers and other companies in critical infrastructure.

March 9th, 2022: On March 9th, 2022, the SEC proposed rules and amendments surrounding cybersecurity for RIAs and public companies to enhance disclosures regarding cybersecurity risks management, strategy, governance, and incident reporting.

The proposal would require the following;

• Current reporting for material cybersecurity incidents on Form 8-K
• Periodic disclosures regarding:
  • A registrant’s policies and procedures to identify and manage cybersecurity risks
  • Management’s role in implementing the policies and procedures
  • The Board of Directors’ cybersecurity expertise (if any) and oversight of cybersecurity risk
  • Updates about previously reported material cybersecurity incidents
• Cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (Inline XBRL)

March 15th, 2022: On March 15th, 2022, President Biden signed the Consolidated Appropriations Act, 2022, the fiscal year 2022 omnibus spending bill. The bill includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Division Y) that would require an entity to report “substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule” to the Cyber and Infrastructure Security Agency (“CISA”).

Under the law, any covered entity that experiences a substantial cyber incident must:

• Within 72 hours of the incident, report the incident to the CISA.
• Within 24 hours of a ransom payment being made in connection to a ransomware attack (if applicable), report the payment to the CISA.
• Provide supplemental information and data preservation related to the incident.

The CISA has 24 months to further define what this law will entail; however, the financial services industry is considered to be critical infrastructure. Companies must review and revise their incident response policy and plan as needed in order to comply with the law.

March 21st, 2022: President Biden made a National Security Alert statement on March 21st, 2022, regarding our nation’s cybersecurity. President Biden emphasized his previous warning about the potential threat of Russia conducting malicious cyber activity against the United States and the critical importance of cybersecurity. The President urged companies to harden their cyber defenses immediately and utilize cybersecurity best practices that have been developed over the last year. A joint cybersecurity advisory alert was also issued by the FBI, CISA, MS-ISAC in response to a Chinese advanced persistent threat (APT) group leveraging customized attacks using tools like KEYPLUG and Remote Access Trojan.

March 30th, 2022: The Division of Examinations (“Division”) published its 2022 Examination Priorities.
One of the five significant focus areas for 2022 was Information and Security and Operational Resiliency. Implementing information security controls is critical to protecting investor information, business continuity, and maintaining strong financial markets. A single data breach typically spans across a wide net, impacting not only the firm, but other market participants and retail investors. To counteract this risk, the Division will continue to review practices investment advisers have in place to:

1. Safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access;
2. Oversee vendors and service providers;
3. Address malicious email activities including phishing or account intrusions;
4. Respond to incidents, including those related to ransomware attacks;
5. Identify and detect red flags related to identity theft; and
6. Manage operational risk due to a dispersed workforce in a work-from-home environment.

The Division will also continue reviewing business continuity and disaster recovery plans, with a focus on compliance with Regulations S-P and S-ID.WHAT DOES THIS MEAN FOR ME?Firms should consider what changes would be necessary to comply with the Cyber Incident and Reporting Act and proposed amendments. Firms should also take a defensive stance in response to security alerts External vulnerability scans should be conducted regularly. Vulnerabilities identified should be resolved in a timely manner. Incident Response Plans should be reviewed regularly and updated if needed. Reviews of employee credentials and access levels should be conducted regularly and documented appropriately. Multi-factor Authentication (“MFA”) should be implemented when possible and companies should take time to update their network diagram.

In addition, firms should:

• Enable Endpoint Detection and Response on all endpoints with protection mode on
• Review offline collector reports
• Enable MFA on all O365 accounts
• Enable MFA on all VPN accounts
• Stay current on security patching
• Keep policies and procedures up to date
• Confirm new employees are up to date on all training

If your firm requires assistance interpreting and implementing these proposed cybersecurity laws, amendments, recommendations, or is seeking further guidance on cybersecurity issues, Fairview Cyber can help. Contact us today for more information about our services.