Cybersecurity Services

STRENGTHENING YOUR CYBER PROGRAM

Strategies to Assess, Protect and Monitor

Cybersecurity is on the minds of firms of all sizes. Incidents of cyberattacks and ransomware are on the rise among financial services firms, having increased 400% from 2015 to 2016, and are expected to double again in 2017 (Sources: IBM Security, CNBC, Beazley). Regulators including the SEC, FINRA and CFTC, as well as those at the state level have expanded their focus on cybersecurity. From protecting the personal information of retail-based clients to properly responding to the wide range of cybersecurity questions now included in the scope of institutional investor due diligence, is your firm prepared?

Managing cybersecurity risks is now considered part of a robust compliance program, yet many compliance professionals worry they do not understand the technical aspects enough to feel comfortable with their current program, or where to start developing one.

Federal regulations such as S-P, S-ID and Rule 206(4)-7 are quickly being accompanied by state regulations that also mandate sufficient Information Security policies and procedures are in place. States such as Massachusetts, California and most recently New York have enacted their own regulations dictating how firms need to secure their own information as well as that of their clients.

Ascendant can take that worry off your plate. We have designed a comprehensive cybersecurity package to help you manage these risks, while allowing you to focus on your core business.

We have designed a comprehensive cybersecurity package to help you manage these risks, while allowing you to focus on your core business.

  • Understand your cybersecurity risks from both a regulatory and business/operational perspective
  • Develop a robust Incident Response policy and test plan
  • Test your staff with phishing and social engineering testing
  • Implement the NIST Cybersecurity Framework as part of your cybersecurity strategy to have an understandable roadmap for discussion with senior management, compliance, and IT
  • Assess the cybersecurity programs of other firms you are considering acquiring
  • Penetration Testing
  • Bring your cybersecurity policies and procedures up to industry best practices with a custom Information Security Policy manual created just for you
  • Assess the adequacy of your patch management practices
  • Train your staff on emerging threats with on-demand cybersecurity training and in-person cybersecurity training
  • Prepare for a regulatory examination by assessing your ability to meet examiners’ expectations of controls, policies, and testing with our Cybersecurity Gap Analysis, designed to address the SEC’s OCIE Cybersecurity Examination Initiative
  • Evaluate and document vendor due diligence

Ascendant offers a cybersecurity training program customizable to meet your needs and busy schedule. Whether you prefer on-demand training modules with reporting capabilities or the ability for your staff to ask questions during live, in-person training at your offices, we can help prepare your employees to recognize cybersecurity threats and trends to better protect your firm and its reputation. Ascendant’s cybersecurity training covers hot-button issues including ransomware and social engineering techniques, keeping systems patched, mobile device security, and a host of other topics. We can also customize a training program just for you.

We offer training on our ACM platform, delivering training videos and attestations to your employees remotely.

For a more hands-on approach, Ascendant can send one of its Cybersecurity Specialists to train your employees on site.

Ascendant can create custom training solutions tailored to fit your firm’s needs. Whether you are looking to enhance training for one office or hundreds of branches, Ascendant has you covered.

For those wishing to join the ranks of firms who are truly serious about cybersecurity, Ascendant can help implement the nationally recognized NIST Cybersecurity Framework upon which the SEC’s cybersecurity exams are based. Used throughout the government and now the de facto cyber framework for the private sector, the NIST cybersecurity framework will bring your firm’s cyber program to the next level and provide you with the peace of mind that comes from having a program aligned with both industry best practices and regulatory expectations.

Identify

Protect

Detect

Respond

Recover

Firms that have existing Information Security policies and procedures in place may wish to have them examined for best practices. Ascendant can review a firm’s documentation to obtain assurances that best practices are being used and to identify outstanding compliance deviations. This review can be done remotely. The deliverable: a detailed report identifying procedural gaps and providing recommendations for remediation.

1. Firm provides information security-related documentation to our secure ACM cloud portal.

2. Our ISACA-certified Information Security Consultants examine firm documentation using proprietary methodology and risk scoring.

3. A Gap Analysis report is provided documenting deficiencies with recommendations to assist in bridging gaps and bringing a firm’s Information Security Policy up to industry standard.

Ascendant can help small firms get their IT up and running by aiding in the vendor selection and due diligence process. Firms needing vendors to help accomplish goals related to IT and cyber often lack proper documentation evidencing this fact, and in some cases, do not even know where to start. Ascendant will craft proper policies and procedures that can address the vendor in a firm’s Information Security Plan. For mid- to large-size firms with established programs but lacking in vendor due diligence, Ascendant can provide a streamlined interface and platform to track vendor due diligence responses and questionnaires, assisting in the risk management effort through on-demand reporting capabilities.

Ascendant can obtain assurances that vendors are providing secure services and not endangering firm data, providing policies to evidence this and procedures to help firms stay on top of due diligence.

With our ACM cloud technology, performing vendor due diligence is easy, secure and streamlined.

For those firms who need a comprehensive risk assessment, our certified cybersecurity specialists can aid in bringing firm policies and practice up to scratch, identifying physical and network security risks through a combination of on-site inspection, staff interviews, and access control testing, bridging the gap between compliance, IT, and senior management in understanding cyber risks, and helping you develop an action plan to reduce your risk profile. Upon request, Ascendant can accompany your team on-site to your data center or other third-party vendors to assist in due diligence. The on-site assessment provides your firm the opportunity to ask questions to our cyber experts and gain insight into how your firm benchmarks against your peers with respect to your cybersecurity program.

Physical Security review can find areas needing remediation and provide proper documentation evidencing existing and recommended controls.

Staff interviews can help paint a deeper picture of a firm’s operational procedures and access controls, and can corroborate whether actual practices are consistent with Firm policy. Ascendant will help examine and document accordingly.

Ascendant will perform a Gap Analysis on a firm’s network security, identifying controls needing remediation.

Ascendant can aid in the vendor diligence process, making sure the right questions are being asked and proper documentation is being maintained.

A final risk assessment will contain a comprehensive review of a firm’s cyber risk profile that identifies steps toward remediation and provides additional documentation aimed toward the creation of a Information Security Policy.

Vulnerability Scanning

Many regulatory agencies such as the SEC, NY DFS and FINRA are requiring or expecting firms to perform regular vulnerability scans of their network. These scans give firms a picture of their network from an outsider’s perspective, with the idea of locking up their perimeters by limiting what information outsiders can observe. These scans can be verbose and confusing to those untrained in exploit identification; however, Ascendant can provide firms with reports containing executive summaries listing the issues in layman’s terms. In addition, we will walk through the identified vulnerabilities and remediation processes in plain English to ensure you walk away with an understanding of both the risks and the accompanying recommendations.

1. Using cloud-based scanners, the firm’s external network is examined for vulnerabilities.

2. A report is created identifying network vulnerabilities along with an executive summary of results.

3. In a call with you, Ascendant will discuss vulnerabilities identified and recommendations for remediation.

Penetration Testing

Firms feeling confident in the security of their network should test that security with a penetration test. A penetration test attempts to exploit security holes in a firm’s network through methods employed by hackers. These tests can be controlled, only testing certain aspects of a firm’s security or giving a firm a wider scope in the capabilities of their security.

Detailed documentation will be provided at the end of the engagement containing exploitation methods used, vulnerabilities found and recommendations. Not only will a penetration test help improve network security but it will also demonstrate a firm’s commitment to security.

A trained white hat specialist will try to exploit vulnerabilities in a network to gain access, much in the same way a real hacker would.

A detailed report will be provided, listing how a network was breached and what a firm can do about it.

After an engagement, a walkthrough of the report can be done to help the firm further understand how to strengthen network security.

Social Engineering

The latest and greatest in security technology time and time again has shown to be ineffective against vulnerabilities stemming from human error. An employee may plug in an unknown USB stick, open an attachment in a phishing email or unknowingly disclose sensitive information. The realm of social engineering is giving hackers powerful non-technical methods of exploiting a firm’s security. It a firm’s job to ensure that its employees and affiliates are properly trained to help detect, prevent and respond to social engineering.

This service comprises of a phishing campaign targeting your employees. The testing involves several leading methods used over a predetermined amount of time, typically no less than a month. Over the course of the phishing campaign, data will be gathered to provide insight into employee behavior. The conclusions drawn will then be used to reinforce training and strengthen what is typically the weakest cyber link at every firm: people.

Spear phishing techniques to spoof emails can test employees’ security competency.

Detailed reports containing actions taken against emails, links clicked and attachments downloaded give management insight into employee behavior.

Additional phishing campaigns can be performed utilizing phone calls, USB devices or email-simulated exploitation.

The following is a sample of cybersecurity policies Ascendant can develop for you:

Data Classification
By ensuring data is properly classified, policies and procedures can be designed for your firm to help protect sensitive data.

Data Loss Prevention
In this modern age, data can be accessed and exfiltrated from almost any device. Ascendant will create specially crafted policies constructed to govern the control and flow of data.

Patch Management
Having proper patch management practices is crucial to ensuring that systems stay up to date. Unpatched systems are low-hanging fruit for hackers, and the SEC will closely examine patch management policies and procedures.

Change Management and Configuration Management
Without sufficient change management policies and procedures, changes can be made without oversight and introduce a host of risks to a firm. Special policies and procedures can be tailored to fit a firm so change is made within firm supervision.

Network Security
Firms must identify the controls in place to safeguard networks from outsiders. Ascendant can review if the security controls are adequate and produce new or improved policies.

Incident Management and Response
Having half an incident response plan is almost as bad as having no plan. Ascendant will ensure a firm’s incident response plan is up to the task of handling a wide variety of incidents as well as ensuring that plan is reviewed and tested.

Encryption
Data confidentiality is heavily reliant on encryption. Its use and implementation should be tailored to fit a firm’s business environment to obtain security assurances.

Mobile Devices
The use of mobile devices for firms should be monitored and controlled, and Ascendant will assist with development of policies for that purpose.

Third-Party Oversight and Vendor Due Diligence
Firms today rely heavily on vendors. This reliance is a convenience as well as an area for risk. Ascendant can help craft policies for proper due diligence to confirm that vendors are adhering to best practices in information security and business continuity.

Access Provisioning
Granting and revoking access to systems and data ensures operational efficiency and prevents superfluous access. However without the proper policies and procedures, access can be overlooked, granted without authorization, or even exploited by outside parties.

Physical Security Controls
Areas such as visitor identification, restricted areas, access monitoring and more should be included in a robust Information Security Policy.

Remote Access
Remote Access is a convenience that many firms utilize, but few address procedurally. Ascendant will review and document the access controls and security surrounding remote access.

The final information security manual provided as a deliverable will consist of a comprehensive suite of policies and procedures describing how the firm protects its information assets. In addition, recommendations will be given to help bridge the gap to industry standard cybersecurity.

Ascendant’s IT team holds numerous industry-leading cybersecurity certifications, including several that are among the limited certifications approved by the U.S. Department of Defense (DoD) for the performance of information assurance. Each of these certifications requires at least 40 hours per year of continuing cybersecurity education to maintain current skills in a rapidly changing threat environment.

AMONG THE CERTIFICATES HELD ARE:

CISA

Certified Information Systems Auditor is a globally recognized certification in the field of audit, control and security of information systems.

CISM

Certified Information Security Manager focuses on information risk management as the basis of information security.

CRISC

Certified in Risk and Information Systems Control manage risk, design and oversee response measures, monitor systems for risk, and ensure the organization’s risk management strategies are met.

Further, our cybersecurity certifications supplement the industry knowledge our IT consultants have obtained through hands-on experience as systems integrators, software architects and developers, and IT project managers. Ascendant’s certified cybersecurity experts are frequently requested to speak at national conferences, and network with the FBI, CIA, technology vendors, law firms, and federal and state regulators to stay ahead of industry best practices and examination focus areas.

Ascendan’t IT team holds numerous industry-leading cybersecurity certifications


Whatever your needs, Ascendant will work with you to make compliance a source of strength.

Please call 1-860-435-2255 for more information.

Contact Us

Latest Content

Cyber Crimes – Don’t Forget to File that SAR!

  Stopping, or even slowing, the proliferation of cyber-event related criminal activities remains a chief goal in the broker-dealer and investment advisory communities. As pointed out in a 2016 advisory released by the Financial Crimes Enforcement Network (“FinCen”), “Cyber-events targeting financial institutions often constitute criminal activity and can serve as means to commit a wide range of … Continued

DOL Rule Extension to Overlap with SEC Consideration of Fiduciary Standards

Following the Department of Labor’s November 27, 2017 announcement of an 18-month extension to the existing Fiduciary Rule transition period, the industry will enter a period of further study for proper standards for disclosure or elimination of conflicted compensation arrangements. That’s a mouthful right there. The Obama administration’s March 31, 2017 implementation of various new prohibited … Continued

Schedule 13D/13F Clarity on ETF Issues

Do I need to file a 13D or 13G if my client accounts hold in excess of 5% of an ETF? Generally, no. The SEC has granted no-action relief to ETFs with respect to compliance with Section 13(d) of the Securities Exchange Act. Section 13(d) was designed to require disclosure when holders begin to accumulate … Continued

New Remedy Coming for SEC’s Custody Rule?

The SEC’s Custody Rule continues to be a common source of confusion and a landmine for noncompliance. Custodial paperwork has caused huge headaches for investment advisers, who are not a party to the agreement and may not even have a copy of the custodial new account paperwork. The issue with existing guidance is that it … Continued

SEC Issues MiFID II No-Action Relief

Some industry anxiety was assuaged on October 26 with three no-action letters that offer relief for some US regulated broker-dealers and investment advisers regarding European MiFID II regulations. The letters followed consultation with the European authorities, and are designed to address concerns that investors could lose access to valuable research. MiFID II is a series of regulations … Continued

Regulatory Changes Impacting RICs and Service Providers

A year ago, the SEC adopted Investment Company Reporting Modernization Rules and Forms, as well as rules pertaining to liquidity risk management programs and swing pricing. New forms N-Port and N-Cen along with amendments to Regulation S-X significantly change the current reporting regime for most registered investment companies (RICs) because they require more comprehensive disclosure and … Continued

Publicly Available Information Heightens Need for Cybersecurity Vigilance

For any business, “ports” that allow for communication generally need to be open (for example, ports 80 and 443 for websites, and port 500 for VPN access). While most of these ports allow you to engage in critical functions, there are often ports that remain open despite being unneeded or unused. These available ports present … Continued

How To Build An Effective Service Provider Oversight Program In Three Easy Steps

Investment advisers of all sizes face new and growing challenges in today’s competitive and evolving environment. As the investment management industry becomes more consumer-focused, individual investors are pressing advisers for more innovative products and a personalized client experience. Further, the growth of passive strategies has created fee pressure across the spectrum, leading to contracting margins.1 … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.