Selecting a cybersecurity vendor is an important decision that may affect your users’ productivity, your clients’ trust, your bottom line and the way regulators and authorities will treat you in the event of a cybersecurity breach.
In the past few years, due to increasing pressure from regulators, new companies have been created with cybersecurity offerings and existing companies have been adding cybersecurity to their offering. Often without expertise in cybersecurity, in cyber regulations and in financial services, these companies want to take advantage of this new market… At your risk.
To clarify the confusion of terms and concepts used in different ways by an increasing number of companies and sales people, FCI wrote this document to shed light on the subject and ensure that whatever decision you make in selecting a provider, you know what you are getting yourself and your firm into from the start.
The following list outlines proposed criteria you can use to select a cybersecurity provider and a series of questions you can ask the contenders.
1. Industry Focus
Since 1995, FCI is 100% dedicated to serving Broker Dealers, Insurance Carriers and Independent Advisors of the Financial Service Industry.
Can you share your expertise and understanding of the Financial Services Industry, as well as the number of years you have been in this market?
2. Cyber Regulation Expertise
FCI closely monitors cyber regulations in the Financial Services industry and each of their requirements. To share his knowledge, expertise and track record, Brian Edelman, FCI’s CEO, is frequently asked to speak at major industry conferences such as TD Ameritrade LINC, The Financial Planning Association, and T3 TechHub. He has been quoted in industry publications such as CNBC, Financial Planning Magazine, and Investment News.
One of Brian’s areas of expertise is cybersecurity regulations and compliance at both the Federal and State levels. This includes 23 NYCRR 500 regulations from the NY Department of Financial Services (NYDFS), the most prescriptive level of regulations which impact every major Financial Services organization.
At FCI, we are committed to supporting our clients to meet the NYDFS regulations.
Can you share your expertise and understanding of cyber regulations in the Financial Services Industry, as well as examples of when and where your expertise was called upon?
3. Company Types
3.1 MSPs Or IT Firms
Since they have access to usernames and passwords and to Nonpublic Information (NPI), one the biggest cyber risks today is having a Managed Service Provider (MSP) or an IT firm responsible for your cybersecurity. To ensure Checks & Balances, the MSP, or IT firm, should focus on Data Controls (users, applications, devices, network, infrastructure, etc.) and leave Technical Controls (Cyber settings and Cyber Tools) to another expert vendor. During recent audits at client locations in which we participated, we witnessed regulators expecting this demarcation between IT and cybersecurity by requesting the names of the firm responsible for each.
FCI has developed an MSP Partner Program to leverage both firms’ expertise and strengths to deliver an integrated offering that better serves and secures our common clients.
3.2 Software Vendors
You may decide to select software vendors and piecemeal a complete cybersecurity solution by yourself. In this case, to ensure software stability, reliability and cybersecurity, it is recommended to select best-of-breed software, typically from public companies or companies that can demonstrate having invested years in research and development in their products that are installed not on few thousands but on millions of devices.
The main challenge of this approach is that typically users, or IT teams, need to be involved at some point for the installation, configuration, update and monitoring of the software. This could be distracting, and even frustrating, for users and typically increases the risk of human error.
Software vendors often provide software and the support to make sure it works properly but rarely offer a complete range of cyber services especially regarding incident response, negotiation with hackers, and representing you in front of the FBI in the event of a breach.
The main goals and strategic initiatives of Software Vendors are related to selling licenses of their software. Services will always come second.
FCI is a Managed Security Service Provider (MSSP) who selects, integrates and augments best-of-breed cybersecurity software into one integrated, automated and scalable platform called Protectit. Through a single software agent, FCI automatically configures endpoint cyber settings (complex password, screen saver, device firewall, etc.) and installs, configures, updates and monitors cyber tools (antivirus, full-disk encryption, multi-factor-authentication) without user involvement and at lower cost than when performed manually by end-users or IT teams.
The main goals and strategic initiatives of FCI are, and will always be, related to providing services to our clients.
4. Cybersecurity Expertise
25 years of experience in cybersecurity is not easy to summarize in few lines. The immense expertise of FCI was developed through the thorough selection, testing and integration of best-of-breed software, the analysis and remediation of thousands of cyber incidents, the multitude encounters with regulators and authorities during cyber breaches, and discussions with clients to understand their needs while helping them meet cyber regulations.
FCI has been there and done that!
Can you share with us how you developed your cyber expertise and over how many years?
5. Ratings, Audits & Certifications
Your firm may not have the human and financial resources to get into an extensive due diligence process to select a cybersecurity provider. One alternative is for you to leverage the work of others and look for existing current ratings, audits and certifications of vendors.
The minor issues are not related to FCI Security Operation Center but to FCI Corporate Website best practices. They are being addressed.
Can you share your Security Scorecard rating with us?
FCI is annually audited by Broker Dealer and Insurance Carrier clients. Since FCI does not access, store or control NPI, a SIG Light is usually the format of the audit. For references and upon request, FCI can introduce you to some of our contacts at these enterprises.
FCI has successfully completed MSPAlliance’s MSP Verify Program (MSPV) certification process, the oldest certification program for cloud computing and Managed Services Providers. The MSPV is based on the Unified Certification Standard (UCS) for Cloud and Managed Service Providers and developed by the International Association of Cloud and Managed Service Providers.
The UCS consists of 10 control objectives and underlying controls that constitute crucial building blocks of a successful managed services and cloud computing practice. Once the provider’s organization has completed all MSPV documentation on all applicable control objectives (with the assistance of MSPAlliance’s readiness assessments, gap analysis, helpful templates and consulting) the results are then examined by an independent third-party accounting firm for verification and signing of a public-facing report.
As with any other certification of this type, the MSPV certification must be renewed annually. The MSPV was the first certification created specifically for the managed services and cloud industry. The MSPV has been reviewed by governmental agencies and regulatory bodies across the globe and is used and accepted in 5 continents around the world.
Customers who select a company that is part of the MSPV can also rest assured that their solution provider has met and exceeded the following standards dealing with:
Objective 1: Governance
Objective 2: Policies and Procedures
Objective 3: Confidentiality and Privacy
Objective 4: Change Management
Objective 5: Service Operations Management
Objective 6: Information Security
Objective 7: Data Management
Objective 8: Physical Security
Objective 9: Billing and Reporting
Objective 10: Corporate Health
Upon request, FCI can provide you with the MSPV Certification report.
Can you provide a detailed audit report of your cybersecurity certification?
6. NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. Recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure.
The NIST Cybersecurity Framework is designed to be intuitive and to act as a translation layer to enable communication between multi-disciplinary teams by using simplistic and non-technical language. The Framework includes five high level functions: Identify, Protect, Detect, Respond, and Recover.
See how FCI built its offering around this framework at FCI NIST-Based Endpoint Security Offering
Can you provide, in writing and in detail, exactly how you support each function of the NIST Cybersecurity Framework?
7. Cyber Security Program
This is no longer an option: You need a cyber program. This is the first document that is requested by regulators and authorities in the event of an audit or a breach. Not only do you have to be able to show your cyber program, but you must also show evidence that it is implemented.
A cyber program is more than a cybersecurity policy or a WISP (Written Information Security Policy), which typically only lists the required or standard endpoint cyber setting and cyber tools. A complete cyber program covers the full range of policies and procedures related to the security of your firm and the NPI of your clients.
Included with FCI services, a comprehensive cyber program is offered with support to adapt it to your particular situation or environment. To save you time and resources, the provided cyber program template is already pre-filled with common industry best practice policies.
Also, all the required log templates are already created so you can track evidence of the implementation of your policies.
Can you provide us with a complete pre-filled Cyber Program template, including all the log forms that should be filled to evidence the policies?
8. Software Agent Deployment
Endpoint Security starts with the deployment of a software agent on the endpoints. Multiple options are available to achieve this task.
8.1 Installation At The Time Of Login To A Web App Or Portal
At the time of login to a Web App or Portal, a validation will be made to verify that the software agent is installed on the computer. If it is not present, the user will be offered to download and install it. This method can be implemented in 2 ways:
8.1.1 Vendor Code Added To Your Web App Or Portal
This method can put at risk the Web App or Portal as it requires code from the vendor to be added to the Web App or Portal. If this method is selected, application penetration testing must be performed after such a change to verify the security of the Web App or Portal. Even with this test, most cybersecurity experts will not recommend this method as it increases your security risk.
8.1.2 Single Sign On
This is the most secure, proven and reliable way to link your Web app or Portal with a vendor system for the deployment of a software agent.
8.2 Installation Link
An installation link is sent via email to users who will simply install the agent. Even if the first method is preferred, an installation link is still required for computers that do not access your Web app.
8.3 Manual Installation
Typically performed by MSPs and IT firms, this requires a technician to sit at every computer to install the software agent. It also requires remote users to bring their computers to the office to have the agent installed. The main disadvantage of this method is that the computer may be at risk for a certain period of time, for example between the time a new computer is purchased and the time the agent is installed.
FCI offers 2 deployment methods: The installation Link and the Single Sign on.
How can you automatically deploy your software agent? If you offer deployment at the time of login to a Web App or Portal, what method are you using (Code or Single Sign On)?
As per NIST, Identification is: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. This section covers a subset of the NIST Identification Function.
9.1 Asset Inventory Dashboard & Report
The asset inventory must contain a list of all your endpoints used to access, store or control NPI. This includes endpoints at the office but also any other BYOD endpoints. For each endpoint, the report should indicate endpoint cyber postures:
- Cyber settings such as complex password, screen saver and personal firewall
- Cyber tools such as antivirus, full-disk encryption and multi-factor authentication
Can we see a sample of your asset inventory report? Can we see a demo of your dashboard? Is it protected with MFA?
9.2 Cyber Settings & Cyber Tools Enforcement
Your cybersecurity provider must enforce the endpoint cyber settings (complex password, screen saver and personal firewall, etc.) and cyber tools (antivirus, full-disk encryption and multi-factor authentication). The cyber tools must be installed, configured and updated.
There are three methods to achieve this:
9.2.1 Manual Configuration
Yes, someone can sit at a computer to setup cyber settings and install cyber tools but again, as with the installation of the software agent, this requires time and resources. Also, at any time, settings can be changed, making the endpoint non-compliant. This also forces end-users to be responsible and take action in the event of a threat being identified on their device.
9.2.2 Instructions To Users
This option is misleading. Vendors promote what they call “Auto Remediation” which basically tells users what they have to do to fix their non-compliance issues, generating user frustration due to productivity disruption.
The problem with this approach is that the cybersecurity vendor is only responsible to provide you with an asset inventory report that shows you the cyber posture of devices. The vendor is not responsible to make endpoints compliant. This is what we call the “Not-In-Good-Order” Report: A report that shows you the cyber posture of your devices and leaves you with the recurring task to contact users to remind them they have to act on the non-compliance of their device. This in turn generates additional labor costs for your firm.
To ensure the compliance of all endpoints, the verification of the report and the task of contacting non-compliant users will need to be done monthly and before an audit. Unfortunately, in the event of a breach, it will be too late to try to get a compliant asset inventory report.
9.2.3 Automated Without User Involvement Or Disruption
The optimal situation is when the cybersecurity vendor is responsible to enforce the cyber settings and cyber tools without user involvement or disruption. To put it simply, the vendor is the one responsible for the compliance of your devices. Also, since the vendor controls these settings which are aligned with your cyber security policy, most of them cannot be changed by user. For other settings that can be changed by users, if they are modified for some reason, they will automatically be put back in compliance.
The method used to enforce a security policy, the cyber settings and the cyber tools is one of the most important criteria to consider in the selection of your cyber security vendor.
FCI offers automated enforcement of cyber settings and cyber tools without user involvement or disruption.
Can you automatically enforce cyber settings and cyber tools on all our endpoints without any user involvement or disruption?
9.3 Risk Assessment
A Risk Assessment contains two sections:
- Security Assessment: Network penetration testing and vulnerability scans
- Policies & Procedures Assessment: A review of your policies and procedures, including a review of the Asset Inventory Report and the Security Assessment Report
To ensure objectivity and to avoid conflict of interest, the Policies & Procedures Assessment should not be performed by the same firm that did the Security Assessment.
FCI provides Security Assessments and a third-party is required to perform the Policies & Procedures Assessments. In some cases, some Enterprises authorize their advisors to perform a Policies & Procedures Self-Assessment.
As per NIST, Protection is: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. This section covers a subset of the NIST Protection Function.
10.1 Endpoint Security
Please ensure that you, your advisors, or your security provider do not select free software which typically only have a subset of their paid version features.
Commonly called “antivirus,” the next generation of endpoint security tools are now doing much more then checking for known viruses as they provide an extended list of security features such as:
- Antivirus & Antimalware
- Web Security
- Download Reputation
- Web Control / URL Blocking
- Peripheral Control (e.g. USB)
- Application Control
- Behavior Analysis: Host Intrusion Prevention System (HIPS)
- Potentially Unwanted Application (PUA) & Adware Blocking
- Data Loss Prevention
- Malicious Traffic Detection
FCI automatically installs, configures and updates endpoint security software without user involvement or disruption.
Can you automatically install, configure and update endpoint security software (antivirus) without any user involvement or disruption?
10.2 Full-Disk Encryption (FDE)
In recent years, FDE features were added into operating systems, making third-party FDE software obsolete. The challenge today with FDE is not the configuration but the backup of the encryption key. During the FDE configuration, FCI sends a copy of the encryption key to FCI’s Security Operation Center where it will be available to be restored when required.
Do you keep a copy of our full-disk encryption keys and can you support us to restore them when required?
As per NIST, Detection is: Develop and implement the appropriate activities to identify the occurrence of a security event. This section covers a subset of the NIST Detection Function.
The two main questions around Detection are what is monitored and who is alerted in the event of a cyber incident: Is it the users or the cyber security provider?
FCI offers an extensive list of security features and monitoring tools for the detection of cyber threats:
- 24×7 Performance & Availability Monitoring
- 24×7 Cyber Threat Monitoring
- 24×7 Cyber Compliance Monitoring
- Endpoint Intrusion Detection & Prevention
- Security Incident Event Monitoring & Management
- Log/Data Aggregation
- User Behavioral Analytics (UBA)
- Real-Time Security Alerts & Reporting
And when there is an alert about a threat, FCI receives it, not the user.
What are the monitoring tools you are using and who is alerted in the event of a cyber incident?
As per NIST, Response is: Develop and implement the appropriate activities when facing a detected security event. This section covers a subset of the NIST Detection Function.
12.1 Incident Response
Incident response is an organized approach to addressing and managing the aftermath of a security incident. From detection to resolution, a cyber incident is managed by your cyber team as defined in your Security Incident Response Plan.
Brian Edelman, FCI CEO, is listed as a member of the Security Incident Response Plan’s cyber team for each of our clients. In the past 25 years, Brian has led the assessment and remediation of hundreds of incidents with one goal always in mind: Keeping incidents from becoming breaches.
Can you share your incident response expertise with us and provide an experienced resource to be part of our cyber team and be available to actively support our efforts in in the event of a security incident?
12.2 Virus & Malware
Some viruses and malware can be identified and remediated automatically by the endpoint protection software. In some cases, an alert is sent so an action must be taken. Who do you want to receive the alert? Your users or a team of cyber experts?
In the event of a virus or malware alert that requires human intervention, who receives the alert and acts on it? Our users or your team?
12.3 Mass Vulnerability Response
A zero-day vulnerability is a software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability. Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network.
When a zero-day vulnerability is announced (and the industry had its share of these for Microsoft Windows in the past year), your cyber vendor should be able to react quickly. The typical process is:
- Understanding the vulnerability and its consequences
- While waiting for a patch to be provided by the software company, find and test alternative solutions or workarounds to mitigate the risk
- Automatically, and seamlessly, deploy a temporary solution to all devices at once without IT or user intervention
- When the patch is available, test it thoroughly
- Automatically and seamlessly deploy the final patch to all devices at once without IT or user intervention
FCI has developed a specific expertise in mass vulnerability response and is often called upon to consult with enterprises of all sizes on this topic. With extensive expertise developed over years, FCI’s fully integrated, automated platform and support team has stood the test of time in handling a large range of vulnerabilities with efficiency and resolution.
What is your expertise in mass vulnerability response and how would you react to a zero-day vulnerability? Can you develop workarounds and deploy them to all our devices automatically?
12.4 Phishing & Ransomware
Unfortunately, the best data loss prevention and data leakage protection systems are still not able to stop users from clicking on a wrong link or being the victim of ransomware. In these situations, the expertise of the cybersecurity expert on your cyber team is crucial.
From the forensics of a phishing email to a negotiation with a hacker, FCI has the knowledge, expertise and track record to reduce your risk.
What is your expertise with phishing and ransomware? Can you negotiate with a hacker for us if required?
It is confirmed. You have a breach. The FBI is calling. What do you say?
When an incident is declared a breach, the FBI takes over. In this situation, the focus of FCI is to evidence your endpoint compliance with the Asset Inventory Report and share the forensics performed pre-breach. Your responsibility is to show your cyber program and evidence that it is being enforced
What is your expertise with breaches? During a breach, can you be part of the discussions with regulators and authorities? The FBI?
14. Vendor Cyber Security Package
As for other vendors, you have to do a Vendor Risk Assessment of your cybersecurity provider. This includes confirmation of insurance, of an implemented cyber program, of all the endpoint and network security, as well as the policies and procedures that are in place to protect your data.
Can you provide us with your Cyber Package?
Your firm’s security, reputation and ability to comply with cyber regulations depends upon a reliable and complete cybersecurity solution.
Understanding the details that constitute cybersecurity services and knowing the right questions to ask potential vendors puts you in position to make a well-informed choice of cybersecurity provider.