Cybersecurity Services

STRENGTHENING YOUR CYBER PROGRAM

Strategies to Assess, Protect and Monitor

Cybersecurity is on the minds of firms of all sizes. Incidents of cyberattacks and ransomware are on the rise among financial services firms, having increased 400% from 2015 to 2016, and are expected to double again in 2017 (Sources: IBM Security, CNBC, Beazley). Regulators including the SEC, FINRA and CFTC, as well as those at the state level have expanded their focus on cybersecurity. From protecting the personal information of retail-based clients to properly responding to the wide range of cybersecurity questions now included in the scope of institutional investor due diligence, is your firm prepared?

Managing cybersecurity risks is now considered part of a robust compliance program, yet many compliance professionals worry they do not understand the technical aspects enough to feel comfortable with their current program, or where to start developing one.

Federal regulations such as S-P, S-ID and Rule 206(4)-7 are quickly being accompanied by state regulations that also mandate sufficient Information Security policies and procedures are in place. States such as Massachusetts, California and most recently New York have enacted their own regulations dictating how firms need to secure their own information as well as that of their clients.

Ascendant can take that worry off your plate. We have designed a comprehensive cybersecurity package to help you manage these risks, while allowing you to focus on your core business.

We have designed a comprehensive cybersecurity package to help you manage these risks, while allowing you to focus on your core business.

  • Understand your cybersecurity risks from both a regulatory and business/operational perspective
  • Develop a robust Incident Response policy and test plan
  • Test your staff with phishing and social engineering testing
  • Implement the NIST Cybersecurity Framework as part of your cybersecurity strategy to have an understandable roadmap for discussion with senior management, compliance, and IT
  • Assess the cybersecurity programs of other firms you are considering acquiring
  • Penetration Testing
  • Bring your cybersecurity policies and procedures up to industry best practices with a custom Information Security Policy manual created just for you
  • Assess the adequacy of your patch management practices
  • Train your staff on emerging threats with on-demand cybersecurity training and in-person cybersecurity training
  • Prepare for a regulatory examination by assessing your ability to meet examiners’ expectations of controls, policies, and testing with our Cybersecurity Gap Analysis, designed to address the SEC’s OCIE Cybersecurity Examination Initiative
  • Evaluate and document vendor due diligence

Ascendant offers a cybersecurity training program customizable to meet your needs and busy schedule. Whether you prefer on-demand training modules with reporting capabilities or the ability for your staff to ask questions during live, in-person training at your offices, we can help prepare your employees to recognize cybersecurity threats and trends to better protect your firm and its reputation. Ascendant’s cybersecurity training covers hot-button issues including ransomware and social engineering techniques, keeping systems patched, mobile device security, and a host of other topics. We can also customize a training program just for you.

We offer training on our ACM platform, delivering training videos and attestations to your employees remotely.

For a more hands-on approach, Ascendant can send one of its Cybersecurity Specialists to train your employees on site.

Ascendant can create custom training solutions tailored to fit your firm’s needs. Whether you are looking to enhance training for one office or hundreds of branches, Ascendant has you covered.

For those wishing to join the ranks of firms who are truly serious about cybersecurity, Ascendant can help implement the nationally recognized NIST Cybersecurity Framework upon which the SEC’s cybersecurity exams are based. Used throughout the government and now the de facto cyber framework for the private sector, the NIST cybersecurity framework will bring your firm’s cyber program to the next level and provide you with the peace of mind that comes from having a program aligned with both industry best practices and regulatory expectations.

Identify

Protect

Detect

Respond

Recover

Firms that have existing Information Security policies and procedures in place may wish to have them examined for best practices. Ascendant can review a firm’s documentation to obtain assurances that best practices are being used and to identify outstanding compliance deviations. This review can be done remotely. The deliverable: a detailed report identifying procedural gaps and providing recommendations for remediation.

1. Firm provides information security-related documentation to our secure ACM cloud portal.

2. Our ISACA-certified Information Security Consultants examine firm documentation using proprietary methodology and risk scoring.

3. A Gap Analysis report is provided documenting deficiencies with recommendations to assist in bridging gaps and bringing a firm’s Information Security Policy up to industry standard.

Ascendant can help small firms get their IT up and running by aiding in the vendor selection and due diligence process. Firms needing vendors to help accomplish goals related to IT and cyber often lack proper documentation evidencing this fact, and in some cases, do not even know where to start. Ascendant will craft proper policies and procedures that can address the vendor in a firm’s Information Security Plan. For mid- to large-size firms with established programs but lacking in vendor due diligence, Ascendant can provide a streamlined interface and platform to track vendor due diligence responses and questionnaires, assisting in the risk management effort through on-demand reporting capabilities.

Ascendant can obtain assurances that vendors are providing secure services and not endangering firm data, providing policies to evidence this and procedures to help firms stay on top of due diligence.

With our ACM cloud technology, performing vendor due diligence is easy, secure and streamlined.

For those firms who need a comprehensive risk assessment, our certified cybersecurity specialists can aid in bringing firm policies and practice up to scratch, identifying physical and network security risks through a combination of on-site inspection, staff interviews, and access control testing, bridging the gap between compliance, IT, and senior management in understanding cyber risks, and helping you develop an action plan to reduce your risk profile. Upon request, Ascendant can accompany your team on-site to your data center or other third-party vendors to assist in due diligence. The on-site assessment provides your firm the opportunity to ask questions to our cyber experts and gain insight into how your firm benchmarks against your peers with respect to your cybersecurity program.

Physical Security review can find areas needing remediation and provide proper documentation evidencing existing and recommended controls.

Staff interviews can help paint a deeper picture of a firm’s operational procedures and access controls, and can corroborate whether actual practices are consistent with Firm policy. Ascendant will help examine and document accordingly.

Ascendant will perform a Gap Analysis on a firm’s network security, identifying controls needing remediation.

Ascendant can aid in the vendor diligence process, making sure the right questions are being asked and proper documentation is being maintained.

A final risk assessment will contain a comprehensive review of a firm’s cyber risk profile that identifies steps toward remediation and provides additional documentation aimed toward the creation of a Information Security Policy.

Vulnerability Scanning

Many regulatory agencies such as the SEC, NY DFS and FINRA are requiring or expecting firms to perform regular vulnerability scans of their network. These scans give firms a picture of their network from an outsider’s perspective, with the idea of locking up their perimeters by limiting what information outsiders can observe. These scans can be verbose and confusing to those untrained in exploit identification; however, Ascendant can provide firms with reports containing executive summaries listing the issues in layman’s terms. In addition, we will walk through the identified vulnerabilities and remediation processes in plain English to ensure you walk away with an understanding of both the risks and the accompanying recommendations.

1. Using cloud-based scanners, the firm’s external network is examined for vulnerabilities.

2. A report is created identifying network vulnerabilities along with an executive summary of results.

3. In a call with you, Ascendant will discuss vulnerabilities identified and recommendations for remediation.

Penetration Testing

Firms feeling confident in the security of their network should test that security with a penetration test. A penetration test attempts to exploit security holes in a firm’s network through methods employed by hackers. These tests can be controlled, only testing certain aspects of a firm’s security or giving a firm a wider scope in the capabilities of their security.

Detailed documentation will be provided at the end of the engagement containing exploitation methods used, vulnerabilities found and recommendations. Not only will a penetration test help improve network security but it will also demonstrate a firm’s commitment to security.

A trained white hat specialist will try to exploit vulnerabilities in a network to gain access, much in the same way a real hacker would.

A detailed report will be provided, listing how a network was breached and what a firm can do about it.

After an engagement, a walkthrough of the report can be done to help the firm further understand how to strengthen network security.

Social Engineering

The latest and greatest in security technology time and time again has shown to be ineffective against vulnerabilities stemming from human error. An employee may plug in an unknown USB stick, open an attachment in a phishing email or unknowingly disclose sensitive information. The realm of social engineering is giving hackers powerful non-technical methods of exploiting a firm’s security. It a firm’s job to ensure that its employees and affiliates are properly trained to help detect, prevent and respond to social engineering.

This service comprises of a phishing campaign targeting your employees. The testing involves several leading methods used over a predetermined amount of time, typically no less than a month. Over the course of the phishing campaign, data will be gathered to provide insight into employee behavior. The conclusions drawn will then be used to reinforce training and strengthen what is typically the weakest cyber link at every firm: people.

Spear phishing techniques to spoof emails can test employees’ security competency.

Detailed reports containing actions taken against emails, links clicked and attachments downloaded give management insight into employee behavior.

Additional phishing campaigns can be performed utilizing phone calls, USB devices or email-simulated exploitation.

The following is a sample of cybersecurity policies Ascendant can develop for you:

Data Classification
By ensuring data is properly classified, policies and procedures can be designed for your firm to help protect sensitive data.

Data Loss Prevention
In this modern age, data can be accessed and exfiltrated from almost any device. Ascendant will create specially crafted policies constructed to govern the control and flow of data.

Patch Management
Having proper patch management practices is crucial to ensuring that systems stay up to date. Unpatched systems are low-hanging fruit for hackers, and the SEC will closely examine patch management policies and procedures.

Change Management and Configuration Management
Without sufficient change management policies and procedures, changes can be made without oversight and introduce a host of risks to a firm. Special policies and procedures can be tailored to fit a firm so change is made within firm supervision.

Network Security
Firms must identify the controls in place to safeguard networks from outsiders. Ascendant can review if the security controls are adequate and produce new or improved policies.

Incident Management and Response
Having half an incident response plan is almost as bad as having no plan. Ascendant will ensure a firm’s incident response plan is up to the task of handling a wide variety of incidents as well as ensuring that plan is reviewed and tested.

Encryption
Data confidentiality is heavily reliant on encryption. Its use and implementation should be tailored to fit a firm’s business environment to obtain security assurances.

Mobile Devices
The use of mobile devices for firms should be monitored and controlled, and Ascendant will assist with development of policies for that purpose.

Third-Party Oversight and Vendor Due Diligence
Firms today rely heavily on vendors. This reliance is a convenience as well as an area for risk. Ascendant can help craft policies for proper due diligence to confirm that vendors are adhering to best practices in information security and business continuity.

Access Provisioning
Granting and revoking access to systems and data ensures operational efficiency and prevents superfluous access. However without the proper policies and procedures, access can be overlooked, granted without authorization, or even exploited by outside parties.

Physical Security Controls
Areas such as visitor identification, restricted areas, access monitoring and more should be included in a robust Information Security Policy.

Remote Access
Remote Access is a convenience that many firms utilize, but few address procedurally. Ascendant will review and document the access controls and security surrounding remote access.

The final information security manual provided as a deliverable will consist of a comprehensive suite of policies and procedures describing how the firm protects its information assets. In addition, recommendations will be given to help bridge the gap to industry standard cybersecurity.

Ascendant’s IT team holds numerous industry-leading cybersecurity certifications, including several that are among the limited certifications approved by the U.S. Department of Defense (DoD) for the performance of information assurance. Each of these certifications requires at least 40 hours per year of continuing cybersecurity education to maintain current skills in a rapidly changing threat environment.

AMONG THE CERTIFICATES HELD ARE:

CISA

Certified Information Systems Auditor is a globally recognized certification in the field of audit, control and security of information systems.

CISM

Certified Information Security Manager focuses on information risk management as the basis of information security.

CRISC

Certified in Risk and Information Systems Control manage risk, design and oversee response measures, monitor systems for risk, and ensure the organization’s risk management strategies are met.

Further, our cybersecurity certifications supplement the industry knowledge our IT consultants have obtained through hands-on experience as systems integrators, software architects and developers, and IT project managers. Ascendant’s certified cybersecurity experts are frequently requested to speak at national conferences, and network with the FBI, CIA, technology vendors, law firms, and federal and state regulators to stay ahead of industry best practices and examination focus areas.

Ascendan’t IT team holds numerous industry-leading cybersecurity certifications


Whatever your needs, Ascendant will work with you to make compliance a source of strength.

Please call 1-860-435-2255 for more information.

Contact Us

Latest Content

Evolution of Fiduciary Rules Begins to Take Shape in SEC

On April 18, 2018, the SEC voted to propose several new rules and reforms related to fiduciary standards. The package intends to raise and clarify standards of conduct for broker-dealers and investment advisers, and to provide clarity regarding fees, conflicts and other material matters. It also aims to ensure that the standards can be understood … Continued

Insurance Considerations for Investment Advisers

How much coverage is enough? What types of insurance policies do you need? Whether you are starting an investment advisory practice, launching a new line of business, or reevaluating your existing risks, there are critical questions to ask to make sure you understand the various ways to protect your firm. Join us for a practical … Continued

Fifth Circuit Weighs In on DOL Fiduciary Rule

A panel of the U.S. Court of Appeals for the Fifth Circuit has vacated the Department of Labor’s Fiduciary Rule. In a 2-1 split, the Fifth Circuit’s decision overrules a Dallas District Court’s decision, which had previously upheld the rule. Unfortunately, the decision does little to settle the fate of the beleaguered rule. Although it … Continued

SEC Proposes Amending Investment Company Liquidity Disclosures in Forms N-PORT and N-1A

On March 14, 2018, the Securities and Exchange Commission (“SEC”) proposed amendments to the mutual fund liquidity-related disclosure requirements. Specifically, the proposal: Adds a new requirement to “briefly discuss the operation and effectiveness of the Fund’s liquidity risk management program during the most recently completed fiscal year” in the Fund’s Management Discussion of Fund Performance … Continued

Paradigm Shift in SEC Exams, Benefits of a Mock Exam

For investment advisers currently going through an SEC exam, the process likely bears little resemblance to exams of old. Call it the new normal, a paradigm shift, or simply the effects of the SEC having to do more with less, but anecdotal evidence among those now experiencing the exam process suggests some interesting new trends. … Continued

Why Should a Big Hedge Fund Use a Compliance Consultant?

If your firm isn’t already using an outside consultant, you may want to ask yourself “why not?” Oftentimes at hedge funds, compliance officers struggle to successfully fulfill the requirements of the job without an essential tool in their toolbox: the outside compliance consultant. Why? The primary reason is simple: resources. When your head is down … Continued

Custody – Get It Right: Just in Time for Your Annual Updating Amendment!

The SEC’s Custody Rule and its application to registered investment advisers is complicated and often misunderstood, and custody issues remain among the most common deficiencies cited during SEC exams. Download this important ComplianceCast to understand the key elements of the Custody Rule; identify available exceptions to certain requirements of the Custody Rule based on industry … Continued

SEC and FINRA 2018 Examination Priorities

The SEC and FINRA have recently released their examination priorities for 2018. These releases provide insight into regulatory priorities and serve as guidance for a firm in evaluating its compliance program. We will discuss topics covered in these releases, including: Protecting retail investors Disclosure Best execution Mutual fund selection Anti-money laundering Cryptocurrencies Technology and cybersecurity

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.