NIST is the acronym for the National Institute of Standards and Technology, a government agency within the U.S. Department of Commerce that fosters cybersecurity research, education, and collaboration. As part of that effort, NIST has developed a cybersecurity framework to help organizations of all sizes to identify, assess, and manage cybersecurity risks. Notably, the Securities and Exchange Commission ("SEC") not only utilizes the NIST framework to help manage its own cybersecurity program, but has also commonly referenced the framework when issuing information security guidance to investment advisers. As such, NIST is particularly relevant to a registered investment adviser ("RIA") firm. Advisory firms should consider incorporating the framework when establishing information security policies and procedures.
The NIST framework focuses on five functions: Identify, Protect, Detect, Respond, and Recover. Version 1.0 of the framework was released in February 2014. The updated version 1.1 of the framework was released on April 16, 2018. The creation of a customized RIA information security policy modeled on the NIST cybersecurity framework is included as part of the subscription to the RIA in a Box cybersecurity platform.
Identify: Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
The identify function is separated into the following six categories:
- Asset Management
The asset management category helps your firm identify the data, personnel, devices, systems, and facilities needed to serve your clients and the relevant risks each of those areas may pose to your firm. For example, your firm’s information security program includes identifying key internal and external technology systems, along with the types of potentially sensitive data stored in each of those systems.
- Business Environment
- Risk Assessment
- Risk Management Strategy
- Supply Chain Risk Management
Protect: Develop and implement appropriate safeguards to ensure delivery of critical services.
The protect function is divided into the following six categories:
- Identity Management and Access Control
The identity management and access control category helps your firm protect sensitive data by establishing proper procedures regarding who on your firm’s staff should have access to particular types of data and systems. Examples include ensuring that not all staff members have full administrative access to company systems, maintaining the ability to toggle system access on and off, and making sure that former employees no longer have access to company systems or access to your firm’s office.
- Awareness and Training
The awareness and training category is an essential part of your firm’s cybersecurity program. Ultimately, your firm's employees can be your greatest strength or weakness as it relates to cybersecurity. Employees need to only only understand your firm's information security policies and procedures, but also receive real-world training on particular types of social engineering or email phishing attacks which commonly target RIA firms. Unfortunately, investment adviser are often targeted by bad actors given the sensitive client information these firms often possess. As such, proper training is vital.
- Data Security
The data security category helps to ensure that your firm’s sensitive company and client information is properly managed to help protect the confidentiality, integrity, and accessibility of the information. This would include protecting your firm’s network, database, or other sensitive company systems, plus working to maintain constant access to key company systems.
- Information Protection Processes and Procedures
The information protection processes and procedures category should be embedded in your firm’s day-to-day practices. It helps your firm establish proper information security policies to not only meet regulatory requirements, but also to help ensure that controls are established to protect and maintain access to information systems and assets. For example, this typically includes the creation and testing of your firm’s business continuity plan, access to critical functions, and data back-up procedures.
The maintenance category guides your firm on making sure that all information system components are properly maintained, repaired, and logged to help reduce the risk of potential unauthorized access.
- Protective Technology
The protective technology category explores how your firm’s technology systems are properly preserved and protected. For example, this may include a policy that mandates automatic security patch installation or restricts the use of removable media such as a flash drive.
Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
The detect function is divided into the following three categories:
- Anomalies and Events
The anomalies and events category helps your firm establish procedures to detect suspicious activity, plus mitigate against the potential impact of that activity. This may include monitoring your firm’s network operations to establish a baseline of expected activity. This is done in order to identify potential anomalies or unexpected network activity. Unexpected network activity would include network activity from an unexpected, remote location, activity conducted after normal business hours, or an unexplained spike in the volume of activity.
- Information Security Continuous Monitoring
The information security continuous monitoring category sits alongside the anomalies and events category to help your firm protect its network and physical environment. This could include monitoring internal and third party vendor access to your firm’s technology systems, conducting a vulnerability scan, and monitoring for any unauthorized devices accessing your company’s network or data systems.
- Detection Processes
The detection processes category addresses what your firm should do when suspicious activity is detected. This may include ensuring that all relevant firm team members are alerted and that any third parties are notified in order to help mitigate the potential issue. This could also include re-evaluating your firm’s response plan to learn from previous incidents and improve your firm’s response plan going forward.
Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
The respond function is divided into the following five categories:
- Response Planning
The response planning category helps to ensure that your firm not only has a cybersecurity response plan established, but also has taken steps to make sure the plan is well-executed in response to a cybersecurity incident. In order to properly respond to a cybersecurity issue or breach, your firm needs to be prepared in advance to quickly and systematically react in accordance with its written response plan.
The communications category addresses coordinated communication with internal and external parties to respond to the event. This helps each internal team member understand the role she or he plays, including proper communication with external parties, such as a law enforcement or regulatory agency.
The analysis category entails designing a plan to properly analyze cybersecurity incidents and their potential impact. For example, when a breach takes place, your firm needs to analyze the event to understand the systems involved, the clients that may have been impacted, and the types of non-public information at risk.
The mitigation category helps your firm prevent a relatively minor incident from turning into a larger cybersecurity breach. For example, perhaps you clicked on a fraudulent phishing email that may have led to malware being installed on your computer. In that scenario, the mitigation component underscores the importance of quickly addressing the issue to prevent that malware from accessing data across your firm’s entire network.
The improvements category stresses that your firm’s cybersecurity response program should be constantly changing to address lessons learned and current best practices. In particular, it’s important that your firm’s current response plan be regularly revised to address new and evolving types of cybersecurity threats.
Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
The recover function is divided into the following three categories:
- Recovery Planning
The recovery planning category focuses on proper execution of your firm’s recovery processes and procedures during and after a cybersecurity incident. This, for example, should ensure that your firm’s files are still accessible in the event of a ransomware attack aimed at blocking access to your firm’s data.
The improvements category makes sure there is a process in place to learn from past recovery efforts to improve future recovery processes. This means that recovery plans and strategies should be regularly reviewed and updated as needed.
The communications category addresses the coordination of communication among internal and external parties when recovering from a cybersecurity event. Often, the first level of communication will be between different internal departments within your firm. Ultimately, this can also include addressing potential regulatory and reputational risk management issues via external communications.
As RIA compliance consultants and information security experts, we cannot stress enough RIA staff can never receive enough training when it comes to cybersecurity. Our RIA cybersecurity platform includes online NIST framework training as part of its security awareness training capability. Given that staff members pose a significant inadvertent cybersecurity risk to investment advisory firms, the importance of thorough and frequent staff training and education cannot be understated.
RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.