This glossary of key cyber terms includes all RIAs should be familiar with in advance of your next SEC cybersecurity exam. All of these are also critical components of a firm’s annual risk assessment, which should be evaluated at least annually. What’s more: the SEC’s proposed Cybersecurity and Risk Management Rule may soon require all RIAs to be familiar with these terms.
- Access Reviews: An access review describes the process of monitoring the rights and privileges of everyone who can interact with data and applications. Access reviews should include employees, vendors, and any other third party with access to your firm’s data.
- Bring your own device (“BYOD”): Bring your device (BYOD) refers to the trend of employees utilizing personal devices to connect to their organization’s networks and access work-related servers and sensitive or confidential data. Personal devices could include personal computers, smartphones, tablets, or USB drives.
- Business Continuity Plan: A written plan that documents critical information necessary for the firm to continue
operating during an unplanned event.
- Business Email Compromise: A business email is compromised and used to gain funds or valuable information.
- Credential Stuffing: A cyber attack in which the attacker collects exposed credentials and uses the information
to attempt to log in to another account.
- Dark Web Scan: The dark web is the part of the internet that is not indexed by search engines. Threat monitoring scans can be conducted on the dark web to monitor for exposed passwords and other sensitive information.
- Disaster Recovery Plan: A written plan that documents a firm’s response to unplanned events that disrupts or threatens to disrupt the ordinary course of business, such as natural disasters and power outages.
- Endpoint Detection and Response (“EDR”): EDR, also known as endpoint threat detection and response (ETDR), are tools for protecting computer endpoints from potential threats. EDR platforms incorporate software and networking instruments for detecting suspicious endpoint activities, usually via constant monitoring.
- Encryption: The process of converting plaintext data into a format that cannot be easily understood by unauthorized people.
- Firewall: Software or hardware that monitors and filters inbound and outbound network traffic based on an established security policy.
- Incident: An occurrence that results in a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Incident Response Plan: A set of predetermined and documented procedures to detect and respond to a cyber incident.2
- Internal Scans and External Scans:
- Internal scans Occur inside a company’s network and firewall. It looks for holes that hackers might take advantage of in systems and in servers, should they gain a foothold inside of your network.
- External Scans: External scans occur outside of a company’s network and firewall. It identified vulnerabilities hackers might exploit to gain access, such as IT assets, applications, and ports.
- Malicious Software (“Malware”): Software or code used to infect a system.
- Man in the Middle Attack (“MITM”): A widespread term for when an adversary positions himself in a conversation happening between a user and an application or even between a computer and router and listens to all the data transmitted between them and in most cases, the adversary is also able to crack the encryption.
- Managed Service Provider (“MSP”): A firm that manages one or more areas of business. In the cybersecurity space, an MSP provides ongoing cybersecurity support, such as network application and infrastructure security.
- Multi-Factor Authentication (“MFA”): MFA improves the security of 2FA by requiring additional factors such as biometric (fingerprint, retina, facial recognition), location-based factors, and time-based factors. The SEC’s proposed Cybersecurity and Risk Management rule requires firms to implement two or more methods.
- Patch: A Patch delivers additional, revised, or updated code for an operating system or application. Excluding open-source software, most software vendors do not publicize their source code.
- Pen Tests: A penetration test, or pen test, is a simulated attempt to exploit weaknesses or vulnerabilities in systems, networks, human resources, or physical assets to stress test the effectiveness of security controls.
- Phishing: Form of social engineering. Uses email, social media, IMs, or other platforms. Bad actors pose as a colleague or organization, seeking to lure the victim to provide sensitive information or obtain access to an account or network.
- Ransomware: A type of malware that encrypts data and requires payment of a ransom to obtain a decryption key. Ransomware is deployed into targeted networks by a variety of delivery methods such as phishing, software vulnerabilities and unpatched or misconfigured operating systems.
- Regulation S-ID: Under Regulation S-ID, the SEC requires financial institutions (including many investment advisers), as defined under the Fair Credit Reporting Act, to initially determine and periodically review whether they offer or maintain covered accounts. A covered account includes an account offered or maintained by a financial institution or creditor, primarily for personal reasons, that permits multiple payments or transactions. These financial institutions and creditors are required to have a written identity theft program in place to detect, prevent, and mitigate identity theft related to new and existing covered accounts.2
- Regulation S-P: Under Regulation S-P, the SEC requires registered broker-dealers, investment companies, and investment advisers to adopt policies and procedures that implement protections for their consumers’ nonpublic personal information. These broker-dealers, investment companies, and investment advisers must provide consumers with a notice of their privacy policies and practices, and must not disclose nonpublic personal information about a consumer to nonaffiliated third parties unless notice is provided to the consumer and the consumer has not opted out of the disclosure.
- Smishing: Phishing by text (SMS).
- Social Engineering: This technique includes psychologically manipulating human minds and breaking standard security procedures and best practices to gain unauthorized access to systems, networks, or physical locations or for financial gain.
- Spear-phishing: Method of phishing that uses social engineering to target specific individuals or groups which increases the likelihood of a successful attack.
- Spoofing: An attack method in which a third party pretends to be something else to gain a victim’s trust, get access to a system, steal data, or spread malware.
- Spyware: A type of malware designed for a specific purpose to spy on you and your computer activities.
- Supply Chain Attack: A supply chain attack is a cyber-attack that targets key vendors of the target company to gain access to sensitive information. Oftentimes, the key vendors have weaker cybersecurity practices or can be used to target multiple target companies at once. This is why it’s very important to know your vendors—particularly your MSP, or managed service provider.
- Tabletop Exercises: A tabletop exercise is a discussion-based exercise presented by a facilitator where personnel discuss the roles, responsibilities, and step-by-step response to a potential scenario under an IT response plan, such as disaster recovery, business continuity, or incident response. Tabletop exercises can be used to test a variety of policies, including Disaster Recovery, Business Continuity, and even Incident Response plans.
- Two-Factor Authentication (“2FA”): 2FA is a secondary method of authentication besides a username and password. E.g., Phone push notification, SMS message, one-time password. The SEC’s proposed Cybersecurity and Risk Management rule requires firms to implement two or more methods (2FA/MFA) of authentication for login systems. The SEC’s proposed Cybersecurity and Risk Management rule requires firms to implement two or more methods.