ACE IT Solutions

SEC Releases Cybersecurity Exam Findings: More Compliance Suggestions for Hedge Funds’

The SEC has released observations from its Cybersecurity 2 Initiative (as a follow-up to its 2015 OCIE exam initiative). National Examination Program staff examined 75 firms, including broker-dealers, investment advisers, and investment companies (“funds”) registered with the SEC to assess industry practices and legal and compliance issues associated with cybersecurity preparedness.

“The examinations focused on firms’ written policies and procedures regarding cybersecurity, including validating and testing that such policies and procedures were implemented and followed. In addition, the staff sought to better understand how firms managed their cybersecurity preparedness by focusing on the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.” (see Risk Alert)

Generally, the SEC staff found improvement in firms’ awareness of cyber-related risks and the implementation of certain cybersecurity practices. Specifically, all broker-dealers, all funds, and nearly all advisers examined maintained cybersecurity-related written policies and procedures addressing the protection of customer/shareholder records and information.

However, OCIE examiners found the following weaknesses:

  • Policies and procedures were not tailored specifically enough and were too general, narrowly scoped or vague.
  • Firms don’t appear to be following and/or enforcing policies and procedures.
  • Firms are not following through on employee security awareness training.
  • Security reviews are not being conducted annually as stated in the policies and procedures.
  • Firms are still using outdated operating systems.
  • High-risk findings from penetration tests or vulnerability scans did not appear to be fully remediated in a timely manner.

The SEC continues to suggest the following elements to strengthen firms’ security postures:

  • Policies and procedures should include inventory of data, information and vendors.
  • Detailed instructions should be developed and followed for penetration tests, security monitoring, access rights and reporting.
  • Strict schedules should be adhered to for vulnerability scans and patch management.
  • Establish and enforce controls to access data and systems.
  • Security training should be mandatory for all employees at on-boarding and periodically thereafter.
  • Senior management MUST engage in the process for it to be successful.

Cybersecurity remains one of the top compliance risks for financial firms. The OCIE will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms. Contact ACE IT Solutions at 646.558.6358 to ensure that your firm is properly prepared for these exams.

Read the full OCIE Risk Alert herehttps://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf

Could a Cybersecurity Breach Get You Fired?

As cybersecurity becomes a priority for managing business risk, C-level executives are being held accountable for cybersecurity weaknesses in their organization. With the recent deluge of high-profile breaches, CEO tenure is now at risk based on the effective control and protection of corporate assets. A cybersecurity hack could ruin a company. Board members (and stockholders)… Continue Reading

ACE IT Solutions Sponsors Annual AITEC Charity Golf Event

ACE IT Solutions is a proud sponsor of AITEC’s fifth-annual Charity Golf Event, to be held on June 15, 2017 at the Upper Montclair County Country Club in Clifton, NJ.  The AITEC Gives Back Foundation  was created to further the altruism of business leaders in the investment industry. The AITEC Gives Back charity golf event started in 2013… Continue Reading

8 Tips for Improving Your Business’ Security Posture

Cybersecurity doesn’t have to be expensive or complicated, but it must be given the proper attention. Security is no longer an optional service. It should be woven into every aspect of a business’ technology infrastructure and it requires attention on every level — from employees to c-level executives. Implement these simple strategies to help protect… Continue Reading

What Businesses Can Learn from British Airways’ Technology Outage

British Airways’ massive technology outage that occurred over Memorial Day weekend is said to cost the airline $68 million and stranded over 75,000 people. The outage involved a power surge on Saturday morning that hit the airline’s flight, baggage and communication systems and left the airline scrambling to bring systems back online and appease frustrated customers. British Airways is… Continue Reading

What You Need to Know About WannaCry Ransomware

The WannaCry Ransomware attack has been touted as the biggest ransomware attack in history. The attack has engulfed businesses around the world, bringing many large enterprises and hospitals to a standstill. The ransomware affects Microsoft Systems, particularly older, unpatched operating systems such as XP. Microsoft released a patch for versions of Windows it no longer supports… Continue Reading

What SMBs Need to Know About Cybersecurity

SMBs mistakenly believe they are too small to be targeted by hackers and ransomware. In fact, SMBs fall into hackers’ cybersecurity sweet spot — they have valuable digital assets, but tend to have less cybersecurity in place than a larger enterprise. Cybercriminals know that SMBs are an easy target with a potentially large and damaging… Continue Reading

NY DFS Tightens Screws on 3rd Party Cyber-Risk for Financial Firms

ACE IT Solutions Managing Partner, Warren Finkel, recently spoke to FinOps about New York State’s Department of Financial Services new rules on managing cyber-risks and how banks are expected to protect critical non-public customer data. “Out of sight doesn’t mean out of mind when it comes to following New York State’s new rigorous rules on… Continue Reading

ACE IT Solutions Recognized for Excellence in Managed Security Services

New York, NY,  February 15, 2017 – ACE IT Solutions announced today that CRN®, a brand of The Channel Company, has named ACE IT Solutions to its 2017 Managed Service Provider (MSP) 500 list in the Managed Security 100 category. This annual list recognizes North American solution providers with cutting-edge approaches to delivering managed IT… Continue Reading