Category Archives: Uncategorized

SEC Releases Cybersecurity Exam Findings: More Compliance Suggestions for Hedge Funds’

The SEC has released observations from its Cybersecurity 2 Initiative (as a follow-up to its 2015 OCIE exam initiative). National Examination Program staff examined 75 firms, including broker-dealers, investment advisers, and investment companies (“funds”) registered with the SEC to assess industry practices and legal and compliance issues associated with cybersecurity preparedness.

“The examinations focused on firms’ written policies and procedures regarding cybersecurity, including validating and testing that such policies and procedures were implemented and followed. In addition, the staff sought to better understand how firms managed their cybersecurity preparedness by focusing on the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.” (see Risk Alert)

Generally, the SEC staff found improvement in firms’ awareness of cyber-related risks and the implementation of certain cybersecurity practices. Specifically, all broker-dealers, all funds, and nearly all advisers examined maintained cybersecurity-related written policies and procedures addressing the protection of customer/shareholder records and information.

However, OCIE examiners found the following weaknesses:

  • Policies and procedures were not tailored specifically enough and were too general, narrowly scoped or vague.
  • Firms don’t appear to be following and/or enforcing policies and procedures.
  • Firms are not following through on employee security awareness training.
  • Security reviews are not being conducted annually as stated in the policies and procedures.
  • Firms are still using outdated operating systems.
  • High-risk findings from penetration tests or vulnerability scans did not appear to be fully remediated in a timely manner.

The SEC continues to suggest the following elements to strengthen firms’ security postures:

  • Policies and procedures should include inventory of data, information and vendors.
  • Detailed instructions should be developed and followed for penetration tests, security monitoring, access rights and reporting.
  • Strict schedules should be adhered to for vulnerability scans and patch management.
  • Establish and enforce controls to access data and systems.
  • Security training should be mandatory for all employees at on-boarding and periodically thereafter.
  • Senior management MUST engage in the process for it to be successful.

Cybersecurity remains one of the top compliance risks for financial firms. The OCIE will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms. Contact ACE IT Solutions at 646.558.6358 to ensure that your firm is properly prepared for these exams.

Read the full OCIE Risk Alert herehttps://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf

ACE IT Solutions Sponsors Annual AITEC Charity Golf Event

ACE IT Solutions is a proud sponsor of AITEC’s fifth-annual Charity Golf Event, to be held on June 15, 2017 at the Upper Montclair County Country Club in Clifton, NJ.  The AITEC Gives Back Foundation  was created to further the altruism of business leaders in the investment industry. The AITEC Gives Back charity golf event started in 2013… Continue Reading

What You Need to Know About WannaCry Ransomware

The WannaCry Ransomware attack has been touted as the biggest ransomware attack in history. The attack has engulfed businesses around the world, bringing many large enterprises and hospitals to a standstill. The ransomware affects Microsoft Systems, particularly older, unpatched operating systems such as XP. Microsoft released a patch for versions of Windows it no longer supports… Continue Reading

NY DFS Releases Cybersecurity Requirements for Financial Service Companies

New cybersecurity regulations are set to go into effect on March 1, and NY-based financial firms need to be prepared. Announced  in September 2016, the new cybersecurity regulation, known as 23 NYCRR 500, was developed to “guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent… Continue Reading

Simplify Cybersecurity with a Proactive Approach to Security Threats

ACE IT Solutions’ cybersecurity partner, IBM Security, has launched a new team of global experts – IBM X-Force IRIS, to help clients prepare for and rapidly respond to security threats with best-of-breed security solutions. Our seasoned experts and consultants deliver threat intelligence services, incident preparedness planning and onsite response services to help organizations stay ahead… Continue Reading

Restore Systems After Ransomware without Paying

The San Francisco Municipal Transportation Authority (SFMTA) was hit with a ransomware attack the morning of Friday, Nov. 25. It is reported that the hacker demanded approximately $73,000 USD to restore operations. Fortunately, the SFMTA had an information technology team in place and backup systems that allowed the SFMTA to bounce back without paying a cent.… Continue Reading

Protecting Your Network From Ransomware: Tips from the FBI

Ransomware is the fastest growing malware threat, targeting users in all industries and businesses of all sizes. On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015. What is Ransomware? Ransomware is a form of malware that… Continue Reading