In our line of work, we hear a lot of myths and rumors. For example, some people say that Microsoft365 isn’t SEC compliant because it’s in the cloud. We have also heard some people saying the same about Google’s Google Workspace. But what does the SEC Cybersecurity Guidance say?
While the SEC Cybersecurity Guidance does talk about email, it doesn’t specifically say which email systems are or aren’t compliant.
So how do you figure this out? What should registered investment advisor firms do?
We’re pleased to say that we’ve seen clients use Microsoft365, Google Google Workspace, and even their own Exchange server. We believe all of these can be made compliant.
The key here is to focus on the right things. Rather than focusing on the email system, focus on its capabilities.
What does that mean? Let’s break it down.
To maintain compliance, we have to consider the risk factors and make sure we’re addressing the risks. We must also carefully configure our email platform to ensure compliance.
Here are some examples of what makes an email both secure and compliant:
All online accounts, including email accounts, are vulnerable to a data breach. Until they invent a better solution, the best way to secure your email account is with two-factor authentication (2FA).
What’s two-factor authentication?
If you have used Facebook, Gmail, or Twitter before, you might have come across 2FA. It’s already an option on these platforms, and they strongly encourage users to adopt it.
Whenever 2FA is used, your email account will require a second level of authentication to access your account.
If you have been just entering your username and one password, that’s single-factor authentication. With 2FA, you will need to have two or three types of credentials before you’re allowed to access your emails.
You’ll be asked for some combination of these three types of credentials:
So how does it work?
Whenever you log in to your email account, it will use an online service or authorized device like your mobile phone to verify your identity. This is often as simple as clicking on a link. You can also type in a number sent to an authenticator app (like Google Authenticator).
If you’re thinking that the idea behind 2FA is nothing new, you’re right! Credit card companies have been asking us to enter ZIP codes or phone numbers for years, and that’s 2FA in action.
If you want to learn more about 2FA, you can find some more information HERE. This resource also lists all the major websites that support 2FA.
Cybersecurity matters. If your firm is going to take the SEC Cybersecurity Guidance seriously, you have to find a way to enforce strong, long passwords.
We know that long and unique passwords (with a mix of capital and simple letters, numbers, and symbols) can be difficult to remember. But it will help you and your firm better protect yourselves from cybersecurity risks and incidents. And if you’re struggling to remember your passwords, you can always use our favorite password manager.
If you’re using your pet’s name or typing numbers 1-8, you’re begging to be hacked!
How damaging would it be if a hacker got into your email and saw sensitive data like a periodic report or a financial statement? So secure your email account with a strong, long password. But if you’re using the same password on more than one site, change it to avoid a potential data breach.
These days, if you're going with one of the major providers (Google or Microsoft), they pretty much handle all of the right encryption inside of your company for you. They encrypt messages stored in your inbox, and they encrypt messages moving between people inside of your company.
What they don't always do is handle encryption outside of the company. But this can be achieved with a little bit of effort (which we will go over below).
You might not be set up properly, though, if you're hosting your own email server. Then you need to work with your IT provider to make sure that emails are encrypted both at rest (or sitting in your inbox) and when it’s moving between your employees.
If you're going to send sensitive data outside of your company, you need to do one of these:
Archiving is important because the SEC demands it. So if anyone files a lawsuit or questions your trading decisions later, you'll be able to produce historical emails.
Many people point to the Enron debacle as the trigger for the email archiving requirement. So firms are now required to have an archive that can pull up old emails, even if they're deleted.
If you’re using some of the established providers, there is nothing to worry about. Both Microsoft365 and Google Workspace have built-in add-ons to meet these requirements (if you’re on the right plan). If not, you can also use a third-party system (like Smarsh), which will also work with your own email server.
The SEC Cybersecurity Guidance also demands a data loss prevention (DLP) plan. By putting robust prevention and detection technologies in place, you’ll be able to make sure that someone isn’t using email to steal data.
Cybersecurity threats are a serious concern not only for senior management but for everyone. According to IBM and Ponemon’s Institute’s Cost of a Data Breach Study, the primary cause of 48% of data breaches last year was malicious or criminal attacks.
Human error only accounted for 27% while system glitches resulted in 25% of the data breaches. This is a terrific article to learn more about data loss prevention.
Microsoft365 is leading the way when it comes to DLP, but Google Workspace is trying to catch up (though for now, DLP is only available on their most expensive plan). If you’re hosting your own email server, you’ll have to work with your IT provider to put DLP in place.
To maintain compliance, it will be a good idea to have a detailed audit log of every action a user takes in a system. This is important because you’ll never know where a breach can originate from. It can even be someone on the inside.
A detailed audit log won’t prevent someone from stealing information stored inside your email account. But it will help you identify who did it. Again, robust audit logs are already built into Google Workspace and Microsoft365. If you’re using your own email server, work with your IT provider to make sure logging is properly configured.
Your email service provider should also detect and block potential phishing attacks. Phishing is still extremely popular. These days, it takes the form of file attachments in Microsoft Office formats (like malicious Word, Excel, and PowerPoint files).
According to Cisco’s 2018 Annual Cybersecurity Report, 38% of malicious file extensions are Microsoft Office files. Another 37% took the form of archive file formats (like .zip or .jar), and 14% were .PDF files.
To learn more about phishing attacks and how you can protect yourself, read this article. We also sell an advanced tool that blocks phishing attacks, so book some time to talk if you want to learn more.
The SEC Cybersecurity Guidance is also quiet on the topic of texting. More general SEC guidance provides more specifics about compliant text messaging.
Here’s our take on it. If you’re using texting to conduct business, you need to have an archive and logging of all messages. It’s important to note that there’s no way to do this with typical texting services like Apple’s iMessages, Facebook Messenger, Telegram, or Snapchat.
A lot of companies are using Microsoft365’s Teams function or Google Workspaces Meet function for texting internally. These can be configured to be archived. They might be a little difficult to use, but it’s certainly possible. They also both have nice computer-based and phone-based programs.
To be compliant with the SEC Cybersecurity Guidance, your communications should be secured as follows:
The good news is that Microsoft365, Google Workspace, and Exchange can all meet these standards. So those of you who are already using these services have nothing to worry about. If you’re thinking of another system, really give them a good long hard look before committing to it.
If you haven’t secured your email accounts, we can help. We are also a phone call away if you have questions about the SEC Cybersecurity Guidance.