compliance documentation what cybersecurity
TRANSCRIPT
WHAT CYBERSECURITYCOMPLIANCE DOCUMENTATIONDOES THE SEC REQUIRE A
FIRM TO MAINTAIN?
HOW TO BUILD A VERY SOLID SEC CYBERSECURITY COMPLIANCE
DOCUMENTATION PROGRAM.
At MTradecraft, we provide cybersecurity auditing and penetration
testing services to SEC and FINRA registered firms. We current
support over 180 firms and I want to discuss a very important
observation from working with these firms. I consistently notice
there is confusion among firm leadership on how to interpret the
SEC’s (or FINRA, or any SSB’s) guidance on cybersecurity
compliance. I hope this documents helps cut directly to what you
need to be doing at your firm.
The SEC’s written guidance is generic and not helpful. I am not
going to cover what the SEC has published in this paper but I
highly encourage you to read all the SEC’s cybersecurity related
releases. Instead, I want to focus on real world solutions to
help you build an operationally streamlined cybersecurity
compliance program. In most of my engagements, I am working with
CCOs who are, by and large, technically savvy individuals. They
would have no problem performing their cybersecurity compliance
duties if they only knew what they were. This paper is for you.
First, let us set the stage and consider how a typical firm’s IT
infrastructure might be structured. Consider the graphic below
which represents a simple example of how a firm’s systems are
interconnected.
www.mtradecraft.com | [email protected]
The yellow flags represent items that a CCO is responsible for
ensuring are up-to-date, properly patched, and not susceptible to
any known vulnerabilities. The “External Penetration Test”,
“Social Engineering”, and “Internal Penetration Tests” identify
locations that you need to be actively monitored and tested for
vulnerabilities. These are potential entry points for malicious
attackers. As a penetration tester, these are the area’s I focus
on.
If you hired an outsourced IT company to administer your network,
do not trust them to perform these cybersecurity audits for you.
They won’t. Or, if you do trust them; make sure they are sending
you the PDF documentation to prove that they are performing these
cybersecurity auditing tasks. The SEC will want to see the
documentation.
www.mtradecraft.com | [email protected]
Cybersecury Law #1: The easier a device is to deploy and
administer; the more vulnerabile it is.
In my experience, 99% of IT firms will not give you that
cybersecurity compliance documentation because at the end of the
day IT firms want to deliver repetitive technology (easy to
deploy and administer) to hundreds of firms whereas SEC
registered firms need redundant and secure technology (difficult
to deploy and adminsiter). So, there is an inherent conflict of
interest when outsourcing your IT operations. You and the IT
vendor have different goals. I don’t sell those kinds of services
so I am not trying to knock my competition here.
Regardless of if you outsource your IT or if you have those
operations in house; the CCO is still responsible for producing
the required cybersecurity compliance documentation. To perform
this work, you can hire an outsourced cybersecurity auditing
company (wink: such as MTradecraft : wink) to perform these
audits and produce your documentation. When choosing a firm, it
is important to make sure there are no conflicts of interest.
For example, don’t select a cybersecurity firm that sells ongoing
monitoring services because they will convieniently find all
kinds of vulnerabilities that will require their $299/month
monitoring service. Don’t take the bait.
Or, you can tackle it yourself.
Below I will outline how I set up my client’s cybersecurity
compliance folders. The suggestions below are just a baseline
that all firm’s will need. Depending on your infrasctructure or
operations (locations, parent companies, IT deployments, etc) you
will probably require additional documentation.
www.mtradecraft.com | [email protected]
First, let’s start with the Policies and Procedures documents.
Cybersecurity Compliance Document #1
The Cybersecurities Policies and Procedures Manual
Here is the outline I use when crafting this document for my
clients. You can use these topics to craft a manual that is
custom written for your firm. If you need a template for this,
just let me know and I will send you one.
Cybersecurity Compliance Document #2
Employee Technology Use Agreement Forms.
This policy sets forth a basic set of standards for the use and protection of a firm’s computer assets. It should be administeredto all firm personnel at onboarding and once again annually. Employees need to sign off that they read and agreement with the document.
See Appendix B for a template I use with my clients.
Cybersecurity Compliance Documents #3-1000.
Documentation of the Active Monitoring of Firm IT Assets
Our personal preference is to use Tenable’s Nessus software to
provide what we consider to be industry leading vulnerability
scanning and reporting capabilities with our clients. Deploying a
scanning solution like Nessus will allow a CCO to build a set-it-
and-forget-it monitoring solution. At MTradecraft, we deploy
these scanners to automatically scan our client’s entire network
and domain once a week and email a report to the CCO. The CCO can
www.mtradecraft.com | [email protected]
then read the report, respond to any needed actions, and then
file that report away in his Cybersecurity Compliance Folder. If
a vulnerability is detected, Nessus will present you with a
solution in the report.
Speaking of cybersecurity compliance folders, here is how I
suggest you structure that folder. We will use an example from
my old firm, Vela Ford.
Cybersecurity Folder Descriptions
Vela Ford Vulnerability Scan Databases: Each time Nessus runs a
scan, it will produce a database. Save those here.
Vulnerability Reports – Austin and San Antonio Offices : We like
to save my vulnerability scans for each office in seperate
folders. From Nessus, I export each scan report to a PDF and
save it here. I also include network maps for each office and
screenshots from each audit in this folder.
Vulnerability Reports – External Assets: This is where we save
vulnerability scan reports for external assets like email
servers, client portals, websites, webapps, etc.
www.mtradecraft.com | [email protected]
2020 December Vela Ford...Annual Executive Summary: Each year you
need to perform a cybersecurity audit in conjuction with your
annual 206-4 compliance review. Document that audit in an
executive summary and save it you compliance folder. Be sure to
follow up and document any remediations that you make.
Remember, with the SEC if you didn’t document “it”...”it” didn’t
happen.
We find that structuring a folder in this manner makes for an
easy audit – when the day does come. We designed this structure
by researching actual cybersecurity/IT documenation requests that
my clients had received from the SEC (and SSBs).
Please see Appendix A for a list of those requests.
Each firm is going to be unique in regards to what systems need
documentation and monitoring, but I hope this provides a quick
outline of how you should be thinking about your cybersecurity
compliance obligations.
If you have any questions or are curious how MTradecraft can
assist in helping you set up your cybersecurity compliance
workflows, please let us know.
www.mtradecraft.com | [email protected]
About the Author:
My name is Brian Hahn and I founded MTradecraft in 2009. I have been in the investment industry for over 20 years with experienceas a:
-COO|CCO of a SEC Registered Investment Advisor-Head Trader and Operations Manager for a SEC registered hedge fund.-CS Associate at Ray Dalio's Bridgewater Associates. -Co-Founder of two investment management firms (a RIA and hedge fund)
I have experience designing every aspect of a firm's IT operations, compliance manuals, operational workflows, and cybersecurity infrastructure.
Unlike most firms, I do not sell ongoing cybersecurity products, nor am I affiliated with outside IT vendors. That means you will receive unbiased advice that is focused on protecting your network and you never have to worry about an up sell at the end.
I live and breathe cybersecurity and investment management operations and I am dedicated to the tradecraft of helping my clients protect their most sensitive data and client relationships.
MTradecraft supports over 180 clients nationwide.
We serve all financial institutions, with focused expertise inthe RIA, broker-dealer, hedge fund, and family office space.
www.mtradecraft.com | [email protected]
Appendix A
SEC Cybersecurity Compliance Documentation
Requests
-----------------------------------------------------------------
Does the firm have: (i) a written Business Continuity Plan;
(ii) a Pandemic Continuity of Operations Plan; and/or (iii)
equivalent informal plans or guidance (collectively, “BCP”)?
If so:
1. Briefly describe some of the aspects of the BCP that
are particularly applicable to maintaining continuity
of business operations when dealing with the COVID-19
pandemic (e.g., personnel working remotely).
2. Are there any business operations that cannot be
performed remotely?
-----------------------------------------------------------------
If the firm has a BCP, has the firm activated/implemented
its BCP in response to COVID-19? If so, please describe:
1. What aspects of the plan have been implemented?
2. Whether the firm has identified any preliminary
weaknesses or unforeseen issues since implementing its
BCP?
3. Whether the firm has encountered, thus far, any
limitations in its ability to operate critical systems
or conduct critical operations in connection with its
personnel working remotely?
4. Whether working remotely has affected the firm’s
www.mtradecraft.com | [email protected]
oversight of any of its third-party vendors or service
providers?
5. Does the firm’s BCP efforts address the resiliency
practices of its key third-party vendors, service
providers, and business partners (collectively,
“vendors”) (i.e., the continuation of the vendors’
business functions affecting the firm’s key
operations)? For example, does the firm make sure that
vendors address:
1. Continuity program activities, such as regularly
reviewing and updating their BCP?
2. Disaster recovery plans for their systems, such as
identifying the locations where data is backed up
and recovery time objectives?
3. Business continuity procedures, such as
comprehensive continuity strategies and procedures
with all of their vendors?
4. Communication practices, such as internal and
external communication plans with their vendors
and clients/customers?
-----------------------------------------------------------------
Is the firm prepared to have all of its personnel operate
remotely for several weeks (e.g., 3+) or months, if required
or appropriate? Are any personnel unable to operate remotely
or unable to do so for several weeks or months?
-----------------------------------------------------------------
Does the firm have a contingency plan if its essential
personnel are unable to work, or only able to work on a
part-time basis, for several weeks or months? For example,
www.mtradecraft.com | [email protected]
personnel may be incapacitated or are only able to work
part-time if they are caring for children.
-----------------------------------------------------------------
Has the COVID-19 pandemic created hardships for the firm
(e.g., financial, human resources, or otherwise)?
-----------------------------------------------------------------
Has the firm considered assessing the impact of COVID-19 on
its business and operations? If so, is it underway, or when
does the firm believe it will undergo this assessment?
What other issues or concerns does the firm want to share
with the SEC, including any challenges related to COVID-19
that have impacted other firms?
-----------------------------------------------------------------
For each of the following practices employed by the Firm for
management of information security assets, please provide the
month and year in which the noted action was last taken; the
frequency with which such practices are conducted; the group with
responsibility for conducting the practice;
and, if not conducted firmwide, the areas that are included
within the practice. Please also provide a copy of any relevant
policies and procedures.
• Physical devices and systems within the Firm are inventoried
and assessed for risks.
• Software platforms and applications within the Firm are
inventoried and audited.
• Maps of network resources, connections, and data flows
www.mtradecraft.com | [email protected]
(including locations where customer data is housed) are created
or updated.
• Connections to the Firm’s network from external sources are
catalogued and assessed.
• Resources (hardware, data, 2 factor-authentication, and
software) are prioritized for protection based on their
sensitivity and business value.
• Logging capabilities and practices are assessed for adequacy,
appropriate retention, and secure maintenance.
-----------------------------------------------------------------
Please provide a copy of the Firm’s written information security
policy and employee usage agreements.
-----------------------------------------------------------------
Please indicate whether the Firm conducts periodic risk
assessments to identify cybersecurity threats, vulnerabilities,
physical vulnerabilities and potential business consequences. If
such assessments are conducted: a. Who (business group/title)
conducts them, and in what month and year was the most recent
assessment completed? b. Please describe any findings from the
most recent risk assessment that were deemed to be potentially
moderate or high risk and have not yet been fully remediated.
-----------------------------------------------------------------
Does the Registrant use any cloud-based storage (e.g., Dropbox,
SkyDrive, Google Docs, etc.) for data backup or any other
purpose? If so, please list the vendors used and all due
diligence research associated with each vendor. Is the
Registrant using a personal or business version of the cloud
storage? Please provide a copy of the terms of service agreement
from each cloud storage vendor that the Registrant is using.
www.mtradecraft.com | [email protected]
-----------------------------------------------------------------
Does the Registrant have any written policies and procedures to
govern the use of/access of firm data? If so, please provide
copies of the policies and procedures.
-----------------------------------------------------------------
Has the Registrant ever had any data breaches or any other
cybersecurity issues (e.g., hacking incidents, ransomware, etc.)?
If yes, please provide a timeline and describe the nature of the
incident. If no, please describe how the firm monitors for
breaches.
-----------------------------------------------------------------
If cybersecurity roles and responsibilities for the Firm’s
workforce and managers have been explicitly assigned and
communicated, please provide written documentation of these roles
and responsibilities. If no written documentation exists, please
provide a brief description.
-----------------------------------------------------------------
Please provide a copy of the Firm’s written business continuity
of operations plan that addresses mitigation of the effects of a
cybersecurity incident and/or recovery from such an incident if
one exists.
-----------------------------------------------------------------
Does the Firm have a Chief Information Security Officer or
equivalent position? If so, please identify the person and title.
If not, where does principal responsibility for overseeing
cybersecurity reside within the Firm?
www.mtradecraft.com | [email protected]
-----------------------------------------------------------------
Does the Firm maintain insurance that specifically covers losses
and expenses attributable to cybersecurity incidents? If so,
please briefly describe the nature of the coverage and indicate
whether the Firm has filed any
claims, as well as the nature of the resolution of those claims.
-----------------------------------------------------------------
Does the Registrant allow employees (or any person) to access any
personal web-based e-mail accounts (e.g., Google, Yahoo Mail,
Hotmail, etc.) from the firm’s networks? If no, what steps has
the Registrant taken to block network access to personal e-mail?
-----------------------------------------------------------------
Does the Registrant allow employees (or any person) to use their
personal e-mail for business purposes? If yes, what types of
information are transmitted via web-based e-mail? Is web-based e-
mail used for client communications?
-----------------------------------------------------------------
Does the Registrant use a web-based e-mail provider’s or its own
server for e-mail? If the Registrant is using a web-based e-mail
account does it have a business account with the provider? Do
any other entities share the same email server?
-----------------------------------------------------------------
Please provide a copy of the terms of service agreement from each
web-based e-mail provider that the Registrant is using.
-----------------------------------------------------------------
Does the Registrant maintain records of web-based e-mail
communications? If so, how are the records maintained? Does
www.mtradecraft.com | [email protected]
compliance review web-based e-mail communications?
-----------------------------------------------------------------
Does the Registrant have any written policies and procedures to
govern the access to/use of/maintenance of/review of web-based e-
mail? If yes, please provide copies of the policies and
procedures.
-----------------------------------------------------------------
Please identify any published cybersecurity risk management
process standards, such as those issued by the National Institute
of Standards and Technology (NIST) or the International
Organization for Standardization (ISO), the Firm has used to
model its information security architecture and processes.
-----------------------------------------------------------------
Please indicate which of the following practices and controls
regarding the protection of its networks and information are
utilized by the Firm, and provide any relevant policies and
procedures for each item.
1. The Firm provides written guidance and periodic training to
employees concerning information security risks and
responsibilities. If the Firm provides such guidance and/or
training, please provide a copy of any related written
materials (e.g., presentations) and identify the dates,
topics, and which groups of employees participated in each
training event conducted since January 1, 2013.
2. The Firm maintains controls to prevent unauthorized
escalation of user privileges and lateral movement among
network resources. If so, please describe the controls,
unless fully described within policies and procedures.
3. The Firm restricts users to those network resources
www.mtradecraft.com | [email protected]
necessary for their business functions. If so, please
describe those controls, unless fully described within
policies and procedures.
4. The Firm maintains an environment for testing and
development of software and applications that is separate
from its business environment.
5. The Firm maintains a baseline configuration of hardware and
software, and users are prevented from altering that
environment without authorization and an assessment of
security implications.
6. The Firm has a process to manage IT assets through removal,
transfers, and disposition.
7. The Firm has a process for ensuring regular system
maintenance, including timely installation of software
patches that address security vulnerabilities.
8. The Firm’s information security policy and training address
removable and mobile media.
9. The Firm maintains controls to secure removable and
portable media against malware and data leakage. If so,
please briefly describe these controls.
10. The Firm maintains protection against Distributed
Denial of Service (DDoS) attacks for critical internet-
facing IP addresses. If so, please describe the internet
functions protected and who provides this protection.
11. The Firm maintains a written data destruction policy.
12. The Firm maintains a written cybersecurity incident
response policy. If so, please provide a copy of the policy
and indicate the year in which it was most recently updated.
Please also indicate whether the Firm conducts tests or
exercises to assess its incident response policy, and if so,
when and by whom the last such test or assessment was
conducted.
www.mtradecraft.com | [email protected]
13. The Firm periodically tests the functionality of its
backup system. If so, please provide the month and year in
which the backup system was most recently tested.
-----------------------------------------------------------------
Please indicate whether the Firm makes use of encryption. If so,
what categories of data, communications, and devices are
encrypted and under what circumstances?
-----------------------------------------------------------------
Please indicate whether the Firm conducts periodic audits of
compliance with its information security policies. If so, in what
month and year was the most recent such audit completed, and by
whom was it conducted?
-----------------------------------------------------------------
Please indicate whether the Firm provides customers with on-line
account access. If so, please provide the following information:
a. The name of any third party or parties that manage the
service.
b. The functionality for customers on the platform (e.g., balance
inquiries, address and contact information changes, beneficiary
changes, transfers among the customer’s accounts, withdrawals or
other external transfers of funds). c. How customers are
authenticated for on-line account access and transactions.
d. Any software or other practice employed for detecting
anomalous transaction requests that may be the result of
compromised customer account access.
e. A description of any security measures used to protect
customer PINs stored on the sites.
f. Any information given to customers about reducing
cybersecurity risks in conducting transactions/business with the
www.mtradecraft.com | [email protected]
Firm.
-----------------------------------------------------------------
Please provide a copy of the Firm’s procedures for verifying the
authenticity of email requests seeking to transfer customer
funds. If no written procedures exist, please describe the
process.
-----------------------------------------------------------------
Please provide a copy of any Firm policies for addressing
responsibility for losses associated with attacks or intrusions
impacting customers. a. Does the Firm offer its customers a
security guarantee to protect them against hacking of their
accounts? If so, please provide a copy of the guarantee if one
exists and a brief description.
-----------------------------------------------------------------
If the Firm conducts or requires cybersecurity risk assessments
of vendors and business partners with access to the Firm’s
networks, customer data, or other sensitive information, or due
to the cybersecurity risk of the outsourced function, please
describe who conducts this assessment, when it is required, and
how it is conducted. If a questionnaire is used, please provide a
copy. If assessments by independent entities are required, please
describe any standards established for such assessments.
-----------------------------------------------------------------
If the Firm regularly incorporates requirements relating to
cybersecurity risk into its contracts with vendors and business
partners, please describe these requirements and the
circumstances in which they are incorporated. Please provide a
sample copy.
www.mtradecraft.com | [email protected]
-----------------------------------------------------------------
Please provide a copy of policies and procedures and any training
materials related to information security procedures and
responsibilities for trainings conducted since January 2017 for
vendors and business partners authorized to access its network.
-----------------------------------------------------------------
If the Firm assesses the segregation of sensitive network
resources from resources accessible to third parties, who
(business group/title) performs this assessment, and provide a
copy of any relevant policies and procedures?
-----------------------------------------------------------------
If vendors, business partners, or other third parties may conduct
remote maintenance of the Firm’s networks and devices, describe
any approval process, logging process, or controls to prevent
unauthorized access, and provide a copy of any relevant policies
and procedures.
-----------------------------------------------------------------
For each of the following practices employed by the Firm to
assist in detecting unauthorized activity on its networks and
devices, please briefly explain how and by whom (title,
department and job function) the practice is carried out.
• Identifying and assigning specific responsibilities, by job
function, for detecting and reporting suspected unauthorized
activity.
• Maintaining baseline information about expected events on the
Firm’s network.
• Aggregating and correlating event data from multiple sources.
• Establishing written incident alert thresholds.
www.mtradecraft.com | [email protected]
• Monitoring the Firm’s network environment to detect potential
cybersecurity events.
• Monitoring the Firm’s physical environment to detect potential
cybersecurity events.
• Using software to detect malicious code on Firm networks and
mobile devices.
• Monitoring the activity of third party service providers with
access to the Firm’s networks.
• Monitoring for the presence of unauthorized users, devices,
connections, and software on the Firm’s networks.
• Evaluating remotely-initiated requests for transfers of
customer assets to identify anomalous and potentially fraudulent
requests.
• Using data loss prevention software.
• Conducting penetration tests and vulnerability scans. If so,
please identify the month and year of the most recent penetration
test and recent vulnerability scan, whether they were conducted
by Firm employees or third parties, and describe any findings
from the most recent risk test and/or assessment that were deemed
to be potentially moderate or high risk but have not yet been
addressed.
• Testing the reliability of event detection processes. If so,
please identify the month and year of the most recent test.
• Using the analysis of events to improve the Firm’s defensive
measures and policies.
-----------------------------------------------------------------
Did the Firm update its written supervisory procedures to reflect
the Identity Theft Red Flags Rules, which became effective in
2013 (17 CFR § 248—Subpart C—Regulation S-ID)?
a. If not, why?
www.mtradecraft.com | [email protected]
-----------------------------------------------------------------
How does the Firm identify relevant best practices regarding
cybersecurity for its business model?
-----------------------------------------------------------------
Since January 1, 2016, has your Firm experienced any of the
following types of events? If so, please provide a brief summary
for each category listed below, identifying the number of such
incidents (approximations are acceptable when precise numbers are
not readily available) and describing their significance and any
effects on the Firm, its customers, and its vendors or
affiliates. If the response to any one item includes more than 10
incidents, the respondent may note the number of incidents and
describe incidents that resulted in losses of more than $5,000,
the unauthorized access to customer information, or the
unavailability of a Firm service for more than 10 minutes. The
record or description should, at a minimum, include: the extent
to which losses were incurred, customer information accessed, and
Firm services impacted; the date of the incident; the date the
incident was discovered and the remediation for such incident.
• Malware was detected on one or more Firm devices. Please
identify or describe the malware.
• Access to a Firm web site or network resource was blocked or
impaired by a denial of service attack. Please identify the
service affected, and the nature and length of the impairment.
• The availability of a critical Firm web or network resource was
impaired by a software or hardware malfunction. Please identify
the service affected, the nature and length of the impairment,
and the cause.
• The Firm’s network was breached by an unauthorized user. Please
describe the nature, duration, and consequences of the breach,
how the Firm learned of it, and how it was remediated.
www.mtradecraft.com | [email protected]
• The compromise of a customer’s or vendor’s computer used to
remotely access the Firm’s network resulted in fraudulent
activity, such as efforts to fraudulently transfer funds from a
customer account or the submission of fraudulent payment requests
purportedly on behalf of a vendor.
• The Firm received fraudulent emails, purportedly from
customers, seeking to direct transfers of customer funds or
securities.
• The Firm was the subject of an extortion attempt by an
individual or group threatening to impair access to or damage the
Firm’s data, devices, network, or web services.
• An employee or other authorized user of the Firm’s network
engaged in misconduct resulting in the misappropriation of funds,
securities, sensitive customer or Firm information, or damage to
the Firm’s network or data.
-----------------------------------------------------------------
Since January 1, 2016, if not otherwise reported above, did the
Firm, either directly or as a result of an incident involving a
vendor, experience the theft, loss, unauthorized exposure, or
unauthorized use of or access to customer information? Please
respond affirmatively even if such an incident resulted from an
accident or negligence, rather than deliberate wrongdoing. If so,
please provide a brief summary of each incident or a record
describing each incident. Please indicate whether it was reported
to the following:
• Law enforcement (please identify the entity)
• FinCEN (through the filing of a Suspicious Activity Report)
• FINRA • A state or federal regulatory agency (please identity
the agency and explain the manner of reporting)
• An industry or public-private organization facilitating the
exchange of information about cybersecurity incidents and risks
www.mtradecraft.com | [email protected]
-----------------------------------------------------------------
What does the Firm presently consider to be its three most
serious cybersecurity risks, and why?
-----------------------------------------------------------------
Please feel free to provide any other information you believe
would be helpful to the Securities and Exchange Commission in
evaluating the cybersecurity posture of the Firm or the
securities industry.
www.mtradecraft.com | [email protected]
Appendix B
Employee Technology Use Policy
This policy sets forth a basic set of standards for the use and protection of {FIRM NAME} computer assets. This policy relates, but is not limited to,computer workstations, servers, laptop computers, electronic mail, databases, networks, and connection(s) to the intranet, internet, and any other information technology services databases, networks and connection(s) to the intranet, internet and an available both nowand in the future.
Information and Information Technology Systems including the computers, networks, applications (both third party and proprietary), technology facilities and the data housed therein, permit individuals, including all officers and directors, full-time, part-time and temporary employees, interns, consultants, independent contractors and other non-{FIRM NAME} personnel (collectively. "Users") to perform their duties at {Firm Name}.
Users are not allowed to remove any “Confidential Information" as described in the Code of Ethics from {FIRM NAME} networks or property by any means (including, but not limited to, internet, email, CD/DVD, disk, printed page), without the approval of theirChief Compliance Officer.
{FIRM NAME}'s Information and Information Technology Systems are intended solely for {FIRM NAME} business purposes. Personal use is not permissible. You are required to make sure your use: (i) does not involve a significant amount of resources that could otherwise be used for business purposes; (ii) does not interfere with a User's productivity; (iii) does not preempt any business activity; (iv) is not contrary to any other {FIRM NAME} policy; (v) does not intentionally make {FIRM NAME} susceptible to excessive spam or unsolicited requests; and (vi) does not disparage or diminish the reputation of {FIRM NAME} or its employees, officers, directors, shareholders and clients. It is the responsibility of each User to ensure that {FIRM NAME} Information and Information Technology Systems are used properly.
www.mtradecraft.com | [email protected]
Users should not expect electronic communications made or received using {FIRM NAME}'s Information Technology Systems to beprivate. {FIRM NAME} expressly reserves the right to without notice access and examine {FIRM NAME} computer systems and networks and all information stored or transmitted through these systems and networks including, but not limited to, all electronic mail. As such, Users should have no expectation of privacy in the use of {FIRM NAME}'s Information Technology Systems. {FIRM NAME} may monitor all activity on {FIRM NAME} technology systems, including but not limited to personal uses such as online banking, online health information, shopping, or personal email. This monitoring may include keystroke logging, screen captures, and Internet activity monitoring, which may reveal personal information such as bank account information, passwords, medical information, or other personal information. Any information obtained by {FIRM NAME} during such monitoring may be used for any appropriate purpose as determined by {FIRM NAME} in its sole and exclusive discretion.
All electronic communications (e.g., email, IM, etc.) made using {FIRM NAME}'s networks, computers, systems or other property willbe deemed the exclusive property of {FIRM NAME}. All electronic communications are to be written in English. If there is a legitimate business need to send a non-English email or communication, a translation must be provided to Compliance at the time the email is sent. The Compliance Department conducts regular reviews of email and instant message communications. The purpose of these reviews is to ensure that {FIRM NAME} is complying with its regulatory obligations as well as its own internal policies including the requirement that all electronic communications be consistent with the professional environment that we strive to maintain. All Users are reminded that such reviews will take place and to carefully consider the appropriateness of any statements made by them in any email communication. Users are further reminded that any personal emails sent via {FIRM NAME}'s electronic communication facilitieswill be retained and are subject to review by {FIRM NAME} compliance personnel as well as our regulators.
The use of web-based email sites (e.g., Gmail, Hotmail, university email, etc.), file upload sites such as Yahoo, or Xdrive personal/home websites, and other web-based publishing sites including blogs is prohibited. Notwithstanding the above, all electronic business communications must go through the {FIRM
www.mtradecraft.com | [email protected]
NAME} email servers, with the exception of Bloomberg instant messages. In the event of a {FIRM NAME} declared emergency, the use of personal, web-based email sites (e.g., Gmail, Hotmail, etc.) may be used, however, in all cases Compliance must be carbon copied on every email.
All information received, stored or transmitted on behalf of {FIRM NAME} is to be treated as Confidential Information. As such, no internal email may be forwarded outside of {FIRM NAME} unless: (i) there is a special business reason to do so; or (ii) the forwarded email is about specific {FIRM NAME} benefits or events available only to your family (or similar close relationship), e.g., emails regarding the company Christmas party.
All electronic communications form a part of {FIRM NAME}'s company records. As such, electronic communications may be subject to disclosure to law enforcement or government officials or to other third parties through subpoena appropriate and lawfulor otherwise. Users must ensure that business information contained in electronic communications is accurate,
Moreover, the Investment Advisers Act of 1940 (the "Act") requires that {FIRM NAME} maintain the originals of all written communications (including email) received and copies of all written communications sent to any party, including persons that are not clients of {FIRM NAME}, relating to the business of providing investment services. It is our policy to retain all internal and external email and internal instant messages, as well as all Bloomberg messages.
Users must conduct themselves in a courteous and professional manner when using {FIRM NAME}'s Information Technology Systems, including when using all email and other electronic communications. Users should write all email and other electroniccommunications with the same degree of responsibility that they would employ when writing letters or internal memoranda on {FIRM NAME}'s letterhead.
GENERAL RULES
The following are some basic rules governing the use of Information and Information Technology Systems at {FIRM NAME}
A. HARDWARE AND SOFTWARE
{FIRM NAME} provides each User with job appropriate hardware and
www.mtradecraft.com | [email protected]
software. The hardware and software are owned and maintained by {FIRM NAME}, which has the right at any time, without notice, to examine and/or confiscate any hardware, software or data maintained on such hardware and/or {FIRM NAME}'s Information Technology Systems. If there is a technology device that has not been provided to you that you believe will help you to be more productive in performing your duties, please have it approved by the firm’s Chief Compliance Officer.
No unapproved information technology devices should be used in conjunction with {FIRM NAME}'s Information Technology Systems. This includes, but is not limited to, other computers, laptops, ZIP drives, Thumb drives, USB drives, memory sticks, CDR/CDRW drives or any other mass storage devices. Exceptions will only begranted on a case-by-case basis, in writing, by the Chief Compliance Officer.
Any software installed or data files stored on a {FIRM NAME} computer must be approved in advance. This includes software and data files downloaded from the internet. Using, downloading, installation and/or storage of illegal or pirated software or files are not permitted in any form. In general, the software will be approved if it is properly licensed, intended for a legitimate business purpose, and does not expose {FIRM NAME} to security risks. Non-business related software should not be installed on {FIRM NAME} computers. If you are unsure of what is considered prohibited, please contact the Chief Compliance Officer.
EVERY EMPLOYEE IS RESPONSIBLE FOR THEIR COMPUTER BEING PATCHED AND UPDATED AT ALL TIMES.
B. USER ID AND PASSWORD
Each User must have a User-ID and password prior to being able touse any {FIRM NAME} computer or Information Technology System. A User-ID and a password, both of which are unique to an individual, will be supplied to each user upon onboarding.
Strong Passwords are Required at All Times. Passwords must be atleast 13 characters long and contain atleast 1 of each: Upper Case Letter, Lower Case Letter, Symbol, and a Number.
Each User is responsible for all activity that occurs on his or her User-ID unless such ID is stolen and it is demonstrated that the User was not negligent in having allowed such theft to occur.User- ID's are revoked when a User is no longer authorized to
www.mtradecraft.com | [email protected]
access {FIRM NAME}'s Information Technology Systems. User-ID's are also subject to suspension if not used regularly or if an incorrect password is entered repeatedly.
It is the responsibility of each User to protect the confidentiality of his or her password. Passwords must not be shared with others or recorded in any places where they might be found. All User must log ALL passwords in LastPass. Users are responsible to protect it and report promptly if it is lost or stolen. Users who are provided with other authentication hardwaresuch as a Securld token, Yubikey or smartcard must take care to protect it and report it lost or stolen immediately.
Users must not allow others to use their access without supervision.
C. REMOTE DIAL UP AND VPN ACCESS
{FIRM NAME} provides VPN access to the Information Technology Systems to facilitate work while away from the {FIRM NAME} premises. Users must not share their remote access or allow others to use it
D. DAILY BACKUPS
The firm is required to conduct periodic backups of all information that resides on its central computer systems, servers, and networks in order to protect {FIRM NAME}'s information resources from loss or damage. Maintenance of information stored on a User's personal computer or laptop hard drive (e.g., C: drive) is the responsibility of the User and is not included in normal backup procedures and recovery capabilities. In case of equipment failure or upgrade, any information on a local system may be lost.
E.VIRUS-SCREENING SOFTWARE
Virus-screening software has been and will continue to be installed on {FIRM NAME} desktop and laptop computers and must not be disabled for any reason. No User may take any steps to disable any firewalls, filters or similar protections which have been installed by {FIRM NAME}. Users may not load onto the Information Technology Systems or transmit any disabling software, such as Trojan horses, viruses, worms, time bombs or any other form of disabling code.
EVERY USER MUST ENSURE THEIR VIRUS SCREEN SOFTWARE IS ACTIVE AND UP TO DATE
www.mtradecraft.com | [email protected]
F. LOCK COMPUTER
{FIRM NAME} computers must utilize a screen-saver with password protection, configured to activate after no more than 5 minutes of inactivity unless an exception is approved by the Chief Compliance Officer.
Each User must lock his or her computer (Windows Key + L) beforeleaving at the end of the workday. Users should never leave their computers logged in and unattended.
Users entrusted with {FIRM NAME} computer assets, including desktops, laptops, Blackberries, and software, must exercise due diligence at all times to prevent theft, destruction or other misuses of the assets.
Portable laptops, notebooks. palmtops and other transportable computers containing sensitive {FIRM NAME} information must be treated with the same care provided to {FIRM NAME} documents. If a {FIRM NAME} computer or Information Technology device is lost or stolen, the Chief Compliance Officer must be notified immediately.
G. THIRD PARTY SOFTWARE No User should include any code that is subject to any open source license without the approval of the Chief Compliance Officer.
By signing below, you acknowledge the receipt of this policy and attest that you will follow all rules set within.
------------------------------------------------ --------------------------------
Employee Signature Date
------------------------------------------------ --------------------------------
Chief Compliance Officer Signature Date
www.mtradecraft.com | [email protected]
Appendix C
Policy and Procedures Manual Outline
INTRODUCTION TO DOCUMENT 4OBJECTIVES OF DOCUMENT 5DEFINITIONS [FIRM SPECIFIC] 3IDENTIFICATION OF RISKS/CYBERSECURITY GOVERNANCE 51. Inventory of Physical Devices 52. Inventory of Software Platforms and Applications 53. Map of Network Resources, Connections and Data Flows 64. Catalog of Connections to the Firm’s Network from ExternalSources 65. Resources Prioritized for Protection Based on Sensitivityand Business Value 76. Logging Capabilities and Practices 77. Periodic Risk Assessment 78. Cybersecurity Roles and Responsibilities 89. Business Continuity Plan 810.Cybersecurity Insurance 811.Deviations from this Cybersecurity Policy 8
ACCESS RIGHTS AND CONTROLS 81. User Access Rights, Controls and Multi Factor Authentication
82. User Passwords 103. Acceptable Use of Firm-Provided Network, Email, Internet,and Mobile Devices 114. User Remote Network Access 125. Login Attempt, Failures, and Lockouts 13
PROTECTION OF FIRM NETWORKS AND INFORMATION 141. Cybersecurity Risk Management Process Standards 142. Written Guidance and Periodic Training RegardingCybersecurity Risks 143. Baseline Configuration of Hardware and Software 144. Hardware Removal, Transfer, and Disposition 145. System Maintenance and Software Patches 156. Removable and Mobile Media 157. Distributed Denial of Service Attacks 158. Cybersecurity Incident Response Policy 179. Server and System Backup Policy 1910.Encryption Policy 2011.Record Keeping Policy 21
RISKS ASSOCIATED WITH REMOTE CUSTOMER ACCESS AND FUNDS TRANSFERREQUESTS 211. Customer Online Account Access 212. Written Identity Theft Prevention Program 22
www.mtradecraft.com | [email protected]
3. Firm Policies for Addressing Losses Associated withCybersecurity Attacks 22
RISKS ASSOCIATED WITH IT VENDORS AND OTHER THIRD PARTIES 231. IT /SaaS / IaaS Vendor, Third Party Service Provider orBusiness Partner Cybersecurity Risk Assessments 232. IT Vendor or Third Party Service Provider Agreements 233. IT / SaaS / IaaS Vendor, Third Party Service Provider, orBusiness Partner Training Materials 244. Segregation of Network Resources from Resources Accessibleto Third-Parties 245. Segregation of Network Resources for Remote Maintenance byThird Parties 246. Contingency Plans for IT / SaaS / IaaS Vendors, or ThirdParty Service Providers 25
DETECTION OF UNAUTHORIZED ACTIVITY 251. Policies and Procedures for Detecting Unauthorized Activityon the Firm’s Network 252. Monitoring the Firm’s Physical Environment to DetectPotential Cybersecurity Incidents 283. Monitoring the Activity of Third-Party Service Providerswith Access to the Firm’s Network 29
www.mtradecraft.com | [email protected]