evaluating vendor cyber security readiness

In early 2017, the Investment Industry Association of Canada (IIAC) needed guidance for their member broker-dealers on evaluating vendor cyber security readiness. IIAC wanted a standard by which member firms could understand a vendor's true security stance and from that the risk inherent in sharing data with that vendor. The issue is material because broker-dealers routinely share extensive personally-identifying information as well as detailed records of the investment portfolios of–and transactions for–their investors. Enough data can be included in these arrangements to unwittingly enable identity theft, fraud, investment strategies, and likely even information on proprietary advice and algorithms. Vendors in the space range from law firms to the shops that print statements; they are many and their level of competence in cyber security varies considerably.

how I was selected

I volunteered. I was already on the IIAC cyber security working group and had previously participated in a panel at an IIAC conferences on cyber security. Moreover, I'd instituted a risk management and internal controls framework with a vendor in their industry, and had written my masters degree dissertation on the importance of alignment between vendors and regulated industry when it came to risk management. It is a subject that I find interesting because it is material to many industries–especially regulated industries–and I don't find it is very well understood.

When IIAC was looking for volunteers to participate in the vendor readiness evaluation guidance, I jumped at the chance. This was not a paid activity.

our methodology

Working collaboratively with the IIAC working group, I put forward a high-level evaluation shaped with these objectives:

• Be easy to use, by being readable to non-specialists.
• Be short enough to be consumable to the broker-dealers.
• Be relevant to executives at the broker-dealer firms by being grounded in real business objectives and relationships.
• Be grounded in existing standards to avoid re-inventing the wheel.
• Not duplicate existing work for the broker-dealer or the vendor. Vendors in regulated industries such as finance are always going through questionnaires, answering questions about their processes and documentation and roles. There was no need, in my opinion, to duplicate that sort of practice.

Designed to be a counterpart to a detailed checklist put forward by Vanessa Jalbert–another member of the working group based on her work at MD Financial Management–I put together a set of 20 questions based on regulatory and cyber security standards including: OSFI-B10; the NIST Cybersecurity Framework; the SOC-2 audit standard set of controls; Public Safety Canada’s “Top 4 Strategies to Mitigate Targeted Cyber Intrusions”; and the CIS Critical Security Controls.

the results

For each of the following twenty questions, I listed criteria and added some guidance on interpreting the results. This was designed to make the use of the questions below very clear to non-practitioners in risk (or cyber security).

The first three sections are designed to guide the user to understanding the relationship between the broker-dealer and its vendor(s), the nature of the data, the nature of the risk, and the vendor's stance towards risk (at a high level). The final section gets into technical controls.

PART I – UNDERSTAND THE DATA AND THE RISK
1. What are the potential liabilities?
2. What is the service being provided?
3. What are the regulatory requirements?

PART II – IDENTIFY THE SERVICE

1. Who is the service provider?
2. What is the history of this service?
3. What is the degree of cyber capability?
4. What is your breach response plan?

PART III – SERVICE PROVIDER ENTITY CONTROLS

1. What are your hiring and retention practices?
2. What are your internal policies?
3. What is your cyber governance strategy?
4. Who provides assurance of the service?

PART IV – SERVICE PROVIDER TECHNICAL SECURITY CONTROLS

1. Do you have an inventory of authorized and unauthorized Devices?
2. Do you have an inventory of authorized and unauthorized Software?
3. Do you deploy secure configurations for hardware and software?
4. Do you deploy continuous vulnerability assessment and remediation?
5. Do you deploy controlled use of administrative privileges?
6. Do you maintain, monitor, and analyze audit logs?
7. Are email and web browser protections in place?
8. Have you deployed malware defenses?
9. Are you limiting and controlling use of network ports, protocols, and services?

sharing this work

I cannot share the final form of the work, which was published by the IIAC for member use only, but I can certainly share my draft submission. I have published an article based on my humble portion of that final work here.