The Department of the Secretary of State has identified the cybersecurity of state registered investment advisers, their business records and client funds to be a critically important issue. Cyberattacks are a real danger, with impacts on both the advisers and their clients. Consequently, the Department is undertaking a special emphasis initiative to help North Carolina’s registered investment advisers become more “cybersecure.”
All state-registered investment advisers are fiduciaries. Consequentially, they have a legal obligation to keep their clients’ personal and financial data safe and secure. As part of their books and records obligations, all state registered investment advisers must also keep and maintain policies and procedures that are meaningful and specific to their businesses. This includes having specific cybersecurity policies.
Our cybersecurity consultative services are completely free and voluntary for any North Carolina-registered investment adviser.
The initiative is being run through our Investor Protection and Education Services Program. The program is not being coordinated with the audit unit, nor will information gathered through this consultative initiative be shared with the audit unit.
Please note: Participation in this initiative will not guarantee that an investment adviser will not have compliance issues. However, active participation in the initiative will put the adviser in much better shape to pass an examination on these elements than it likely would be if it did not participate. Participation in every stage of this initiative should significantly reduce the chances that an investment adviser will experience related compliance issues in the future.
Our initiative is based on the Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework”) developed by the National Institute of Standards and Technology (NIST). The Cybersecurity Framework is a voluntary, risk-based framework of industry standards and best practices designed to help organizations manage cybersecurity risks. (For more information about the Cybersecurity Framework, please see their website at https://www.nist.gov/cyberframework.) Our initiative also draws from materials produced by the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the North American Securities Administrators Association (NASAA), and the International Organization of Securities Commissions (IOSCO).
The NIST Cybersecurity Framework identifies five core functions: Identify, Protect, Detect, Respond, and Recover. We will help the volunteer participants in this initiative work through these five core functions in stages. Throughout this process, we are going to utilize portions of FINRA’s “Checklist for a Small Firm's Cybersecurity Program” which may be downloaded at https://www.finra.org/industry/cybersecurity#checklist.
If you are an investment adviser who is registered in North Carolina and you wish to participate voluntarily in this initiative, you are encouraged to start this process by first sending us your firm’s current cybersecurity policies and procedures. You may send these to us via email at firstname.lastname@example.org. If they are too large to send to us via email, please send a message and we will send instructions for uploading the file to our secure FTP site. Once you have sent us your current cybersecurity policies and procedures, you may start the following process:
The steps enumerated here may seem daunting at first. However, the first step in a comprehensive cybersecurity plan is to identify your risks, and you cannot do that without knowing what you have. All of the steps described below are connected, so it is best for you to tackle all of this at one time.
If you have any questions, or would like our feedback on what you prepare, please email John Maron, Director of the Investor Protection and Education Services Program, or the initiative’s cybersecurity consultant, Norm Burtness. Technical questions are best directed to Norm Burtness first.
- Step #1
- Start by creating a written inventory of all your digital assets. You don’t know where your vulnerabilities are unless you identify what you have. We suggest you keep your inventory on a spreadsheet. (If you are using the FINRA checklist, the Section 1 tab can be adapted for use here.) In column one, write down every item you and your firm use for business-related activities and which can connect to the internet: computers, servers, smartphones, tablets, printers, fax machines, routers, smart TVs, smart speakers, security cameras, etc. – even your refrigerator or thermostat if they connect to your network (this is how the 2013 data breach at Target occurred)! If you have employees or family members who also have devices that connect to your business network, be sure to include those, too. Further, if you also do any work at home, be sure to include any devices that you allow to connect to the same network that you use for business. Include: a description of each item; its nickname (if applicable); the make, model, serial number (and/or other identifying information) of the device; its physical and/or virtual location (i.e., laptop, network drive, system folder, or email); and what software and their versions are currently loaded on the device (including protective software). As an OPTIONAL step, you could also record the operating systems, patch levels, and configurations. If you have any technical questions about any of the elements in Step #1, please feel free to contact Norm Burtness
- Step #2
- Next, we want you to identify the data your business stores on and/or accesses through each device, particularly information that could be considered personally identifiable information (pii, sometimes also referred to as non-public information) or firm sensitive information. Examples of pii include names associated with social security numbers, dates and places of birth, financial records including customer accounts and holding information. Firm sensitive information can include contact address information, email addresses, employee information, financial records, tax filings, etc. You may list this information in the column next to each device identified in Step #1.
- Step #3
- Next, we want you to assess the risk to your business and/or clients if the data identified in Step #2 is lost, stolen or otherwise compromised. Ask yourself these questions: What would happen to my business if this information was made public? What would happen to my business if this information was inaccurate? What would happen to my business if I/my clients couldn’t access this information? Who has access to this information? Third party vendors/contractors (including IT providers)? Cloud-based services? As you ponder these questions, we want you to assign a risk severity level to each item identified in Step #2. You may classify the risk severity level in terms of dollars (if known) or simply with words like “low”, “medium” or “high”. It is difficult to protect everything against every potential threat, but you need to identify what information is most valuable to your business or to your clients. Record the risk severity level in the next column for each device identified in Step #1.
- Step #4
As the final step in this first stage, we want you to answer the following questions with regard to the data identified in Step #2 above (include your responses over the span of the next 4 columns on your spreadsheet):
- Keeping in mind your books and records obligations, can you meet your business objectives without access to the data identified in Step #2? (Yes/No)
- Keeping in mind your books and records obligations, can you meet your business objectives without sharing the data identified in Step #2 with others? (Yes/No)
- If you answer “Yes” for any of the data identified in Step #2, describe your plan to fix the flaw in your procedures
- Taking into consideration the risk severity level you assigned in Step #3, if you answer “No” for any of data identified in Step #2, can you change a business practice to eliminate or at least mitigate the risk? For example, can you use a client specific identifier other than a social security number or birth date? If so, describe your mitigation steps/response.