A Persistent Threat in Financial Services

Key Controls on Web Use to Avoid Regulatory Scrutiny

For regulated investment firms, the SEC has prioritized cybersecurity, governance and data loss prevention. While firms cover the gamut in their compliance manuals and policies, their practice reveals alarming gaps when team members access the web. John Klassen of Authentic8 discusses how compliance teams can ensure oversight and control over employees’ web activities.

For buy-side and sell-side firms, the SEC’s Office of Compliance Inspections and Examinations (OCIE) has prioritized “cybersecurity with an emphasis on, among other things, governance and risk assessment, access rights and controls, data loss prevention […] and incident response.”^[1]

While these regulated entities have significantly strengthened their compliance policies, their practices still reveal troubling deficiencies. Behind closed doors, compliance leaders in many firms admit that they lack the tools to sufficiently monitor, audit and enforce employee web use policy.

Regulators expect firms to make a “reasonable” attempt to ensure oversight and remediate areas of weakness. So what’s getting in the way?

The Web: Asset or Liability? It Depends On the Browser.

Whether research analysts or investment managers use business apps or social media, they rely on the locally installed web browser as their primary tool. It is the very same tool that increasingly leaves firms exposed to risks of data breaches and compliance violations online. Osterman Research found “a wide range of threats” resulting from the use of locally installed browsers, “including ransomware, other types of malware, leaks of sensitive and confidential information and catastrophic data breaches.”^[2]

This puts an extra burden on compliance and IT leaders. While more business functions in investment firms are shifting to cloud-based applications and services, ironically their locally installed browsers are still stuck in IT’s past. Their inherent security weakness makes them a gateway for web-borne exploits. One in 13 web requests today lead to malware, up from one in 20 in 2016, according to security researchers at software firm Symantec.^[3]

As a result, the browser has become synonymous with increased risk, loss of control and compliance violations online. The underlying reason is simple: the local browser was not designed with security and compliance in mind.

The Browser: A Compliance Blind Spot

At its core, the local browser remains an anachronistic holdover from the 1990s rush to the web. Its inherent lack of security and auditability leaves firms exposed to risks of data breaches and data loss.

This has created a dangerous blind spot for the compliance team and IT. The browser’s architectural flaws and vulnerabilities make it notoriously difficult to manage, monitor and secure against web-borne exploits.^[4]

“Missed patches and updates” were among the compliance risks that OCIE staff pointed out following examinations of RIAs and investment funds. Although all advisers and funds had a process in place for ensuring regular system maintenance, the examiners found that critical security updates had not been installed.^[5]

Patchwork Security: More Complexity, Less Control

The outdated, supposedly “free” local browser comes at a cost. It necessitates IT security point solutions which lull users  – and IT admins – into a false sense of safety. Examples are antivirus (AV) software and secure web gateways (SWG) on the local network, which aim to fill the security or compliance gaps left by the local browser.

Such tools add more complexity and maintenance requirements, and they also tend to introduce additional risks, security researchers warn.^[6] The same holds true for URL filtering solutions that aim to mitigate web risks by categorizing sites in “blacklists” and “whitelists” – at a time when most compliance risks emanate from the web’s “gray zone.”

Browsing in the Web’s Gray Zone

The exponential growth of the web has rendered traditional black/white, risk/no-risk categories obsolete. Blacklists have failed to make firms safer, because they are outpaced by the web’s rapid growth. Loss of productivity can result when team members are unable to access sites they need for research. Whitelisted or authorized sites, on the other hand, may be assumed safe, but aren’t, because they contain web-based scripts that the browser executes locally, infecting the firm’s IT infrastructure with malware.

A cloud storage service may be whitelisted for internal use, but it can also be abused. Using their browser, insiders can exfiltrate proprietary information to a personal account with the same service. This is an actual example, not merely a theoretical possibility.

Firms are usually blindsided by such incidents. Problems like these typically arise in firms that still use a local browser to access the internet, which prevents oversight and control for the compliance team and IT.

Trading Security for Productivity?

Compliance and IT teams face a conundrum: A more restrictive web use policy may help ensure network security and oversight, but on the downside, it may also lead to a productivity loss and put the firm at a competitive disadvantage.

Team members rely on the web to quickly aggregate actionable market intelligence from widely disparate sources. They also need to access office resources from home or via public Wi-Fi without putting their firm at risk.

All this is why, following the example of leading financial institutions and organizations in other highly regulated sectors, more investment firms are taking the logical next step. They eliminate the risks associated by replacing the regular browser by isolating web access with a cloud browser that can be centrally managed, monitored and audited.

Cloud Browser for Full Compliance and Control

How do cloud browsers work? With a compliance-ready cloud browser, all web code is processed on a remote host configured for regulatory compliance and data security. No code from the web can reach the local IT infrastructure. The cloud browser serves as a central, audited asset that ensures all user activity on the web can be reviewed against GRC requirements.

Browser isolation outside the firm’s IT perimeter offers a win-win instead of weak compromises, enabling CCOs and IT to implement the recommendations of the OCIE^[7]. Employees get access to the web via a secure, compliant, personalized browser. IT gets complete isolation from the risk of malware, a robust set of administrative controls and a fully auditable log of a user’s activity, all embedded in a remote cloud browser.

Investment firms with business interests in the European Union have one more reason to use a cloud browser: Other than regular browsers, a cloud browser for use in this space would have to provide privacy controls that fulfill the requirements of the European Union’s Data Protection Directive (Directive 95/46/EC) and meet the requirements of the General Data Protection Regulation (GDPR).

How do investment firms establish whether a cloud browser fits their needs? Market research^[8] indicates they expect their cloud browser to provide a single point of control and granular oversight for IT administrators and compliance officers.

How Do Firms Select a Cloud Browser?

With a compliance-ready cloud browser, there should be no more blind spots when team members go online. Each browser session should be built based on embedded policies predefined by the firm’s IT security or compliance teams.

A compliance-ready cloud browser enables the team to centrally manage network device access, websites, content types, credentials and data operations. It should log and encrypt all user actions to facilitate compliance reviews and post-issue remediation.

Last but not least, investment firms should ensure that the solution they select has already proved its mettle in real-world use. By choosing a cloud browser trusted by the firm’s peers in the financial services sector, as well as by their law firms, vendors and regulators, they will save time and money and regain control on the web before it’s too late.

^[1] SEC Office of Compliance Inspections and Examinations Announces 2018 Examination Priorities – https://www.sec.gov/news/press-release/2018-12 (Press Release 2/2018)

^[2] Osterman Research: Why You Should Seriously Consider Web Isolation Technology – https://www.ostermanresearch.com/home/white-papers/ White Paper (12/2018)

^[3] Symantec: 2018 Internet Security Threat Report – http://images.mktgassets.symantec.com/Web/Symantec/%7B3a70beb8-c55d-4516-98ed-1d0818a42661%7D_ISTR23_Main-FINAL-APR10.pdf

^[4] Scott Petry: The Architecture of the Web is Unsafe for Today’s World – https://www.darkreading.com/endpoint/the-architecture-of-the-web-is-unsafe-for-todays-world/a/d-id/1328529 Dark Reading (4/19/2017)

^[5] OCIE: Observations from Cybersecurity Examinations – https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf (2017)

^[6] Xavier de Carné de Carnavalet and Mohammad Mannan: Killed by Proxy: Analyzing Client-end TLS Interception Software – http://users.encs.concordia.ca/~mmannan/publications/ssl-interception-ndss2016.pdf (Research Paper) Concordia University, Montreal, Canada (2016)

^[7] OCIE: Observations from Cybersecurity Examinations – https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf (2017)

^[8] Control and Compliance in Regulated Securities Investment Firms: What Regulators Want to See – https://www.dropbox.com/s/0mqjt15llrp6bi7/2018-11-26%20Control%20%26%20Compliance%20in%20Regulated%20Securities%20Investment%20Firms.pdf (11/2018)