As businesses are digitally transformed, our exposure to risk is changing. In the financial industry, the stakes are much higher.
The SEC Cybersecurity Guidance helps registered investment advisors respond to these threats. It also makes sure that they have a plan in place to respond to them. For example, one such threat is the loss of data due to a breach.
So what does the SEC Cybersecurity Guidance say about data loss prevention? Here's a direct quote:
"Firm policies and procedures related to enterprise data loss prevention and information related to the following:
Data mapping, with particular emphasis on understanding information ownership and how the firm documents or evidences personally identifiable information (“PII”); and The systems, utilities, and tools used to prevent, detect, and monitor data loss as it relates to PII and access to customer accounts, including a description of the functions and source of these resources.
Firm policies related to data classification, including: information regarding the types of data classification; the risk level (e.g., low, medium, or high) associated with each data classification; the factors considered when classifying data; and how the factors and risks are considered when the firm makes data classification determinations.
Firm policies and procedures related to monitoring exfiltration and unauthorized distribution of sensitive information outside of the firm through various distribution channels (e.g., email, physical media, hard copy, or web-based file transfer programs) and any documentation evidencing this monitoring."
What does all this mean? Let’s walk through what each section of the guide means in the real world.
First, let’s define it. Data loss prevention or DLP is a data protection strategy. It makes sure that employees don’t send sensitive information outside their network. Sensitive information is confidential data, which, in a data leak, could affect your client’s safety or your business’ reputation.
It's critical because when unauthorized individuals view sensitive data, it creates significant risk. For example, an employee can forward an email with confidential information by mistake. Or they might email a copy of a client file to their private email address.
While there may not have been any malicious intent, it could spell disaster!
Sometimes, a bad actor in your organization might steal a customer database by copying it to a USB. Or a hacker can take control of an employee account and gain access to your customer database. They can then upload this information to Dropbox or Google Drive within seconds.
Companies today face a variety of threats. But, following the SEC Cybersecurity Guidance will help you protect your critical data.
The first step in this whole process is to figure out what you need to protect. You can do this by making a detailed list of all the data you have. This is what the SEC calls “data classification.”
When you create a list of all your data, make sure to assign their level of priority. For example, your customer account numbers need to be classified as “high priority.” Employee first names can be classified as “low priority.”
The approach you take to secure your data will vary based on high vs. low risk. Of course, focus more of your efforts on high-risk data.
Hackers also want to steal your high priority data. This is because it commands the highest value on the black market.
Regardless of how you look at it, it’s your job to go the extra mile to protect your high priority data. After all, it’s your crown jewels!
To protect high priority data, you have to first figure out where it is. The SEC Cybersecurity Guidance talks about “data mapping.” This is a list of your sensitive data and what state it’s in.
What does that mean? Let’s break it down.
Data can be in motion, in use, or at rest.
Data in motion, for example, are your digital files moving around inside or outside of the company. These can be through physical media devices like USB drives or DVDs. Or it can be via email attachments and uploads to websites (think Dropbox).
The other states like “in use” or “at rest” are exactly what they sound like. Data in use is when you or an employee is working on a file. Data at rest, for example, is when you save a file onto your computer or store it on a (private) cloud.
Protecting sensitive information starts with asking questions like:How do I protect data when an employee is working with an open record?
What about saved files?
What about sensitive information on printed documents?
For the latter, you can use a shredder. For everything else, as a rule, you have to take steps to deny all "unauthorized transfers." In fact, SEC examiners might look at the steps you took to verify customer requests to transfer funds.
Don't attempt to secure data at an individual file level. Doing so will drive you crazy! Even in small firms, assigning access to every file can turn into a nightmare. Instead, approach it like this. Give everyone access to email, but only let Client Advisors access Client folders.
If you have been following these steps, you will be ready to fully utilize technology. You should already have a matrix that details your high priority data, where it lives, and who needs access to it.
It’s is critical to have a clear understanding of this before you start or you won’t be able to protect your data.
Now that you know what data demands protection, it’s time to take advantage of some technology.
DLP Solutions come in two flavors:
Prevention: Technology that can block data from getting lost
Detection: Technology that will let you know when data is lost
There are a bunch of tools that fall under the banner of Enterprise Data Loss Prevention. These are worth considering if you’re working in a larger firm. For smaller firms, it can become too expensive to license and maintain.
Small firms usually take advantage of systems that have “DLP-lite” features already built-in. Some examples of these DLP-lite solutions are as follows:
There are more DLP solutions, but for smaller firms, these aren’t affordable or easy to use. But they should become so in the future (so it’ll be a good idea to keep track of them).
Again, trying to solve this problem at an individual file level isn’t the best way forward. If you do, you’ll find yourself going crazy, even if you work in a small company.
It’s also critical not to assume that you can collect Windows logs from all endpoints to stay compliant. Windows logs are difficult to use and can be tricky when it comes to figuring out what a user actually did.
You can set up a firewall to block file-sharing platforms like Dropbox or Google Drive. But it’s important to be aware that it’s far from a guaranteed solution. In fact, a quick Google search will show you how easy it’s to build your own file sharing solution.
The key here is to remember that there will always be ways to get around these blocks. So your approach to DLP should be one of multiple layers (that continues to evolve) and not a final solution.
Following the SEC Cybersecurity Guidance and maintaining DLP compliance is your responsibility. It’s critical because a data breach can have far-reaching consequences.