Vendor Due Diligence – How well do you know your vendors?
The SEC OCIE guidelines are vague in many areas—subtly suggesting some things and forcefully recommending others (with the caveat that security may be different for each firm). One thing that they do not mince words on, though, is the need to vet vendors. They clearly state that just because you move your data to the cloud, it doesn’t mean that you abdicate your need to ensure that the data is secure.
How can you verify that data kept on servers that you don’t control is safe? You obviously can’t. At the same time, though, both as a good practice and to satisfy the SEC (and other governmental, compliance, and regulatory agencies), it is important to do due diligence on vendors.
What’s involved in this process? In theory, it is actually quite easy. Just start asking questions. Ask the vendor, check their web site, Google them. Ask in depth questions, and follow up when the questions yield information that is different than you’d expect. If you are already using a vendor, look at how they are performing. Basically, you want to do a mini Risk Assessment on each vendor that holds your data or has access to your systems.
Some vendors will cooperate quickly, providing you with everything you need immediately. Others will get you what you need slowly. Others won't even bother calling you back. Some (like Microsoft) really don’t care. The trick is to find out everything you can, anyway. It often takes a little detective work. Figuring out how your data is backed up, what a company’s reputation is, whether they’ve had any incidents, how good their security really is—all of these can be discerned—is just a matter of (as the title suggests) being diligent.
Cobaltix Compliance is happy to do this work for you, or to guide you if you’d like to do it yourself.
Not registered with the SEC? Why bother with Compliance?
Although the SEC does not currently require some hedge and ventures funds to be registered, this does not mean that these firms don’t have to comply with the laws and rules. . . It just means that they don’t have to demonstrate regulatory compliance. While the SEC assumes that they are working with sophisticated investors, not being registered implies having less regulatory oversight. But even with less regulations, it is still pertinent to maintain a stable security system and compliance.
Does this mean that non-registered firms don’t need to worry about compliance? Yes and no.
The SEC, and almost every credible regulatory body in the US and Europe, require risk assessments to determine the state of security and minimize impactful cyberattacks on companies. Yet, whether registered with the SEC or not, companies may experience careless or unwitting activity as well as intentional malfeasance from employees and vendors that pose great threats. Therefore, understanding the overall degree of harm that could occur as a result of an exploitation of a security vulnerability is crucial. Risk assessments not only find the security issue, but also identify the risk level and its impact. Cobaltix Compliance offers risk assessments as well as other services that are crucial in keeping a company secure whether SEC registered or not. Compliance often adds hoops that distract from actual security, which is often overlooked by IT personnel. This is when Cobaltix Compliance comes in. While IT is focused on getting systems working, security makes sure the data is safe even when things change. This requires keeping track of current threat vectors, understanding how doing things the same way, every time, leads to consistency by way of finding problems through regular audits, and establishing control measures to prove that data hasn’t been tampered with. In modern day, hedge funds or any company that deals with sensitive data, moving around money, or propriety information, are target rich environments and often experience daily attacks from the internet. Likewise, attacks from the inside are often the most damaging, whether careless or intentional. For these companies, whether required to do compliance or not, risk assessments become especially pertinent. Even if you aren’t required to do compliance, skip the hoops, but don’t skip the security. A risk assessment by a competent security company, such as Cobaltix Compliance, is a good first step.
Who Should Do Compliance and Security Assessments?
The world is changing. Back in the old days, you called a Big-5 consulting company to do an audit. They sent over 4 or more recent grads from top business schools to pour over boxes and boxes of files for 5 or 6 weeks. Eventually, they said that the accounting was good, and they left until the following year. The only problem was that the results were always positive—after all, the same firm had been doing the accounting—why wouldn’t it be good?
All that changed a long time ago. Now you have two firms—one that does accounting, and another that does the audit. The same recent grads come though (now you get coffee with a partner, too), but at the end of the day, unless you’re really screwed up, you get a short list of things that need to be fixed, and you end up with a clean bill of health.
Oh, yeah, and your cyber security compliance was fine.
Why is the accounting firm doing cyber security? Big or small, accounting firms don’t have any idea about cyber security. They may hire a couple of people with credentials, send out questionnaires, and ask when the last penetration test took place. Generally, that is about it. No look at any of the systems. Minimal interviews. Generally, no understanding of the relationship between cyber-security and risk, or any understanding of technology at all.
There is an even worse alternative. Letting the IT guys do the security.
IT guys are great. Their jobs are to make people happy. While many tech guys fail at their primary mission (making people happy), if you have a good IT guy, your company has a great competitive advantage.
Not only are the IT guys focused on fixing things, they also don’t usually think about risk, procedure, or controls. Your best IT guy thinks in exactly the opposite way, creatively solving problems in the fastest way possible—that is what you want in an IT guy. Also, most IT guys don’t write all that well. Communication is key to security—you want everyone (even up to the CEO) on the same page around risk and security.
Security isn’t just about checking boxes—either by an accountant (or worse, an attorney), or by a technical person. It is about reducing risk. Risk doesn’t just come from computers—it comes from people. Risk comes from HR and Finance and Accounting. It comes from systems, too.
Compliance and great security are done by people who can blend a true understanding of business with a deep knowledge of technology. They have to be able to think like a bad guy and an attorney at the same time. The job requires both asking hard questions and also from looking closely at systems, networks, laptops, and people.
Larger firms have a CSO (Chief Security Officer) or a CISO (Chief Information Security Officer). The CSO/CISO and CIO are peers, and they often report through different hierarchies. Unfortunately, it isn’t practical for small and medium sized firms to hire a CSO/CISO. This is a role that can be outsourced.
Information Security usually reports into legal or compliance, or in some firms, the CFO. Because many small firms don’t have legal or compliance in house, many accounting firms offer to be “one-stop-shops” and include cyber-security for the CFO. It is easy, but it is a bad idea.
You want your compliance and security consultants to be smart about business and to know the regulatory environment—not just the rules, but what happens during an audit. Ask about a CISSP (one of the few security certifications worth anything). Look for deep knowledge of technology. The auditor should never ask for passwords or actually touch any system, but rather should be “shoulder surfing.”
Ideally, your security firm should have a great deal of experience in the sector you are in. Being tied to a technology company is often good, but you don’t ever want people in the same company auditing their own, or their peer’s work.