The Cyber Security Council has requested basic "state of the state" cyber security information from each member firm of the Association. While the information that was requested in the survey questionnaire below relates solely to each respondent’s overall approach to information security, it is important because the Association needs to formulate a cyber security profile of the asset management industry in order to help educate
regulators. In turn, regulators and possibly the Congress might then be in a better position to help facilitate industry cooperation and information sharing by industry participants - which is deemed by cyber security experts as the key to combating cyber attacks. The cyber security profile of the asset management industry that possibly emerges from this survey and
perhaps related analytical work will be subject to review and approval by the participating member firms. Once the Association completes this vetting process, the industry cyber security profile could then be shared with regulators by members and/or the Association.
1. What is the extent of awareness within your organization of the National Institute of Standards and Technology's Cybersecurity Framework (the "NIST Framework")? In any event, has the IST Framework gained sufficient traction within your organization to the point where it has meaningfully changed how your organization manages cyber risks? Responses: Very Aware 100% Somewhat Aware 0% Not Aware 0% Other remarks:
The NIST framework has impacted how we identify and evaluate cyber risks and the impact they have on our business.
2. Were you familiar with the NIST Framework before the SEC's OCIE pronouncement in April, 2014? If so, how did your organization first learn about the NIST Framework-what was your primary source of information?
Yes, familiar 60% Not familiar 40% Other remarks:
Aware of the NIST updated framework through Information Security periodicals and industry groups.
From internal security professionals who are knowledgeable of best practices in the information security area.
We participated in the CSF working groups to create the CSF
3. Is your organization working with any sector-specific groups (e.g. FS-ISAC, FSSCC) or other trade groups to ascertain information about the NIST Framework? Please list any groups.
FS-ISAC and FSSCC
FS-ISAC, Wall Street Technology Association, etc. FS-ISAC
ICI Information Security Committee
Institutional Investors Cyber Security Council
FSSCC, FS-ISAC, BITS, direct interaction with DOT and DHS
4. Is there general awareness by your colleagues that the NIST Framework: a) is intended as a cyber risk management tool for all levels of an organization in assessing risk and how cyber security factors into risk assessments; and b) builds on existing cyber security frameworks, standards, guidelines, and other management practices related to cyber security?
Only a 0%
Only b 100%
Both a and b 0%
Neither a nor b 0%
5. Has your organization adopted a standard or framework other than the NIST Framework for the purpose of guiding your information security program? If so, please indicate whether ISO-27001, COBIT, SANS, COSO or other.
No, but these frameworks are the basis for our policies, standards, etc. ISO-27001
Our program considers industry practices and proposed standards such as those promoted by NIST, COBIT ISO-27001
ISO-27001 and COSO
6. Many organizations and most sectors operate globally or rely on the
interconnectedness of the global digital infrastructure. If your organization is planning to enhance its cyber security framework, will the asset management business use it internationally or will it be a U.S. only application?
International 40% US & International 20%
7. Has your primary regulatory agency adopted or announced its intention to adopt the NIST Framework? If so, how extensive have your efforts been to enhance your cyber security program in light of regulatory expectations?
very extensive /new program being implemented 0%
recently redefined new program 20%
in process of defining enhancements 80%
8. Is your organization doing any form of outreach or education to clients, vendors or others regarding cyber security risk management?
Responses: Yes 100%
9. Please comment on whether clients want to know the most relevant types of cyber attacks likely to apply to your organization.
Responses: Yes 100%
several hundred clients ask us detialed questions about this topic every year 10. If your firm is on board with the framework, please indicate whether you have undertaken any of the following activities: awareness building with clients;
assessment of your existing policies vis-a-vis the NIST Framework; development of a current state ""baseline"" against the likely sub-categories of the Framework; or defined a ""future state"" against the NIST
Framework. Responses: Yes, on board 60% Not on board 20% Definite program 20% Comment:
Current state assessed and future state be defined by management
The framework was used to review and enhance our policies and processes.
11. Regarding cyber security activities with vendors that are critical to your business, does your approach involve you categorizing these vendors? Examples of such categories could include securities valuation providers, custodians, collateral management agents, SSI data repositories, CCPs, FCMs, clearing agents (including industry utilities & trade information warehouses), etc.
Please indicate any other categories that you feel are relevant to the asset management industry.
Responses: Yes 80% No 20% Comment:
BITS Shared Assessment
We take a risk based approach to inventory and perform due diligence on our vendors and third parties.
12. Also, is it standard procedure to meet with such vendors as part of your cyber security due diligence?
Responses: Yes 100%
13. What about actual visits to critical vendors or alternate vendors to gain an
understanding of data entry and exit points -- do you conduct such visits consistent with a checklist?Briefly state the nature of these visits.
Responses: Yes 80% No 20% Comment:
This is for a very small subset of vendors
Site visits are conducted periodically based upon risk. A formal checklist is followed on these site visits, where the results and action items are documented as part of our vendor governance processes.
To gain a better understanding of our critical vendors' infrastructure and there data management practices to so how they meet regulatory requirements, industry standards and best practices.
14. Would you suggest testing with critical vendors as a due diligence best practice? Responses:
Yes 60% No 40%
15. Do you inquire of critical vendors whether they also test with their own vendors? Responses:
Yes 60% No 40%
16. Do you participate in any shared assessments programs (such as those provided by a credible consultant) when undertaking vendor due diligence reviews?
Responses: Yes 40% No 60%
17. Do you utilize independent attestations as part of your review processes? If so, which do you utilize:
ISO-27001 certification 100%
SOC (Service Organization Controls) 2 and/or 3 reports 80%
SSAE-16 / SOC 1 reports 100%
Cloud Security Alliance 20%
Other (please list below):
BITS shared assessments
These independent attestations are used in conjunction with our own internally developed questionnaire.
18. Do you re-assess vendors after specific periods of time (annually, bi-annually, etc.)? Please indicate interval, if any:
Yes, periodically based upon risk Annually
as required by contract
19. What technology tools, if any, do you use as part of your vendor assessment program to keep assessment results, open issue tracking, scheduling and other items? Please specify tools and whether you use a PMO to ensure tracking of all vendors:
home grown today, but looking at solutions like Hiperos
There is a vendor governance system for the inventory and tracking of vendors. None currently besides excel spreadsheets.
20. Regarding cyber security insurance and the asset management segment of your organization, is your firm looking into obtaining coverage for cyber investigations related to security breach incidents concerning vendor related issues?
Responses: Yes 60% No 40%
21. Do you feel it is beneficial to raise awareness with senior management or your audit committee concerning the intricacies and nuances of industry-wide cyber security best
practices? If yes, briefly state one or two positive takeaways. Please so state Responses:
they want to know how we benchmark to peers "Yes, it is beneficial. Positive takeaways include:
o Senior management is setting a security conscious cultural for the organization and
o Are aware of the roles and responsibilities if there is a security incident" "Yes.
o Inform senior management of cyber risks that are specific to our Firm and the business impact of these risks.
o Obtain authorization and support to implement security best practices." Yes
use of the NIST framework, risk based asset protection,
22. Any general observations about cyber security developments currently affecting the asset management industry? An example of a current cyber security development would be the use of external evaluations of policies and procedures that are currently in place.
record keeping and data destruction don't have adequate handling in the "best practices"
Besides cybersecurity threats as a whole to the industry, the regulatory focus and expectations around cybersecurity will continue to affect asset managers, especially as the regulators begin to test and assess these controls.
An increase in the amount of time, effort, and money spent on responding to due diligence and RPF responses pertaining to cyber security. This increase in the type of cyber security-related questions by current and potential customers has changed how our organization investigates and responds to potential security issues even if our Firm is not vulnerable to the risk.
the increased focus by regulators in this space is broadening the awareness in the firm and enabling ready adoption of new risk management efforts as we align with the framework. The burden of the increased requests for information in this space is creating a need for standardized question/responses which can be re-used for multiple requestors.
23. How do you manage insider risk? Responses:
Combined team with HR, Physcial Security, and Info Sec. Looking at technical and human factors
"This is a layer approach using the following controls: o Data Loss Prevention (DLP) Monitoring o Least privilege access model
o Role based access
o Recertification of user access o Filtered internet access
o Restrictions on removable storage o Email surveillance"
We limit access to confidential data based on access controls, we have separation of duties for sensitive functions, and some limited DLP capabilities (through our
implementation of biometrics). This is an area that we are currently looking to expand.
education, monitoring, DLP controls, and analytics
25. Would you consider participating in Association-sponsored tabletop exercises (which would also include certain vendors that are critical to your business) in order to test incident response plans to certain cyber attack scenarios?
Responses: Yes 80% No 20%