No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

A Persistent Threat in Financial Services

by John Klassen
January 2, 2019
in Risk
man on laptop at cafe

Key Controls on Web Use to Avoid Regulatory Scrutiny

For regulated investment firms, the SEC has prioritized cybersecurity, governance and data loss prevention. While firms cover the gamut in their compliance manuals and policies, their practice reveals alarming gaps when team members access the web. John Klassen of Authentic8 discusses how compliance teams can ensure oversight and control over employees’ web activities.

For buy-side and sell-side firms, the SEC’s Office of Compliance Inspections and Examinations (OCIE) has prioritized “cybersecurity with an emphasis on, among other things, governance and risk assessment, access rights and controls, data loss prevention […] and incident response.”[1]

While these regulated entities have significantly strengthened their compliance policies, their practices still reveal troubling deficiencies. Behind closed doors, compliance leaders in many firms admit that they lack the tools to sufficiently monitor, audit and enforce employee web use policy.

Regulators expect firms to make a “reasonable” attempt to ensure oversight and remediate areas of weakness. So what’s getting in the way?

The Web: Asset or Liability? It Depends On the Browser.

Whether research analysts or investment managers use business apps or social media, they rely on the locally installed web browser as their primary tool. It is the very same tool that increasingly leaves firms exposed to risks of data breaches and compliance violations online. Osterman Research found “a wide range of threats” resulting from the use of locally installed browsers, “including ransomware, other types of malware, leaks of sensitive and confidential information and catastrophic data breaches.”[2]

This puts an extra burden on compliance and IT leaders. While more business functions in investment firms are shifting to cloud-based applications and services, ironically their locally installed browsers are still stuck in IT’s past. Their inherent security weakness makes them a gateway for web-borne exploits. One in 13 web requests today lead to malware, up from one in 20 in 2016, according to security researchers at software firm Symantec.[3]

As a result, the browser has become synonymous with increased risk, loss of control and compliance violations online. The underlying reason is simple: the local browser was not designed with security and compliance in mind.

The Browser: A Compliance Blind Spot

At its core, the local browser remains an anachronistic holdover from the 1990s rush to the web. Its inherent lack of security and auditability leaves firms exposed to risks of data breaches and data loss.

This has created a dangerous blind spot for the compliance team and IT. The browser’s architectural flaws and vulnerabilities make it notoriously difficult to manage, monitor and secure against web-borne exploits.[4]

“Missed patches and updates” were among the compliance risks that OCIE staff pointed out following examinations of RIAs and investment funds. Although all advisers and funds had a process in place for ensuring regular system maintenance, the examiners found that critical security updates had not been installed.[5]

Patchwork Security: More Complexity, Less Control

The outdated, supposedly “free” local browser comes at a cost. It necessitates IT security point solutions which lull users  – and IT admins – into a false sense of safety. Examples are antivirus (AV) software and secure web gateways (SWG) on the local network, which aim to fill the security or compliance gaps left by the local browser.

Such tools add more complexity and maintenance requirements, and they also tend to introduce additional risks, security researchers warn.[6] The same holds true for URL filtering solutions that aim to mitigate web risks by categorizing sites in “blacklists” and “whitelists” – at a time when most compliance risks emanate from the web’s “gray zone.”

Browsing in the Web’s Gray Zone

The exponential growth of the web has rendered traditional black/white, risk/no-risk categories obsolete. Blacklists have failed to make firms safer, because they are outpaced by the web’s rapid growth. Loss of productivity can result when team members are unable to access sites they need for research. Whitelisted or authorized sites, on the other hand, may be assumed safe, but aren’t, because they contain web-based scripts that the browser executes locally, infecting the firm’s IT infrastructure with malware.

A cloud storage service may be whitelisted for internal use, but it can also be abused. Using their browser, insiders can exfiltrate proprietary information to a personal account with the same service. This is an actual example, not merely a theoretical possibility.

Firms are usually blindsided by such incidents. Problems like these typically arise in firms that still use a local browser to access the internet, which prevents oversight and control for the compliance team and IT.

Trading Security for Productivity?

Compliance and IT teams face a conundrum: A more restrictive web use policy may help ensure network security and oversight, but on the downside, it may also lead to a productivity loss and put the firm at a competitive disadvantage.

Team members rely on the web to quickly aggregate actionable market intelligence from widely disparate sources. They also need to access office resources from home or via public Wi-Fi without putting their firm at risk.

All this is why, following the example of leading financial institutions and organizations in other highly regulated sectors, more investment firms are taking the logical next step. They eliminate the risks associated by replacing the regular browser by isolating web access with a cloud browser that can be centrally managed, monitored and audited.

Cloud Browser for Full Compliance and Control

How do cloud browsers work? With a compliance-ready cloud browser, all web code is processed on a remote host configured for regulatory compliance and data security. No code from the web can reach the local IT infrastructure. The cloud browser serves as a central, audited asset that ensures all user activity on the web can be reviewed against GRC requirements.

Browser isolation outside the firm’s IT perimeter offers a win-win instead of weak compromises, enabling CCOs and IT to implement the recommendations of the OCIE[7]. Employees get access to the web via a secure, compliant, personalized browser. IT gets complete isolation from the risk of malware, a robust set of administrative controls and a fully auditable log of a user’s activity, all embedded in a remote cloud browser.

Investment firms with business interests in the European Union have one more reason to use a cloud browser: Other than regular browsers, a cloud browser for use in this space would have to provide privacy controls that fulfill the requirements of the European Union’s Data Protection Directive (Directive 95/46/EC) and meet the requirements of the General Data Protection Regulation (GDPR).

How do investment firms establish whether a cloud browser fits their needs? Market research[8] indicates they expect their cloud browser to provide a single point of control and granular oversight for IT administrators and compliance officers.

How Do Firms Select a Cloud Browser?

With a compliance-ready cloud browser, there should be no more blind spots when team members go online. Each browser session should be built based on embedded policies predefined by the firm’s IT security or compliance teams.

A compliance-ready cloud browser enables the team to centrally manage network device access, websites, content types, credentials and data operations. It should log and encrypt all user actions to facilitate compliance reviews and post-issue remediation.

Last but not least, investment firms should ensure that the solution they select has already proved its mettle in real-world use. By choosing a cloud browser trusted by the firm’s peers in the financial services sector, as well as by their law firms, vendors and regulators, they will save time and money and regain control on the web before it’s too late.


[1] SEC Office of Compliance Inspections and Examinations Announces 2018 Examination Priorities – https://www.sec.gov/news/press-release/2018-12 (Press Release 2/2018)

[2] Osterman Research: Why You Should Seriously Consider Web Isolation Technology – https://www.ostermanresearch.com/home/white-papers/ White Paper (12/2018)

[3] Symantec: 2018 Internet Security Threat Report – http://images.mktgassets.symantec.com/Web/Symantec/%7B3a70beb8-c55d-4516-98ed-1d0818a42661%7D_ISTR23_Main-FINAL-APR10.pdf

[4] Scott Petry: The Architecture of the Web is Unsafe for Today’s World – https://www.darkreading.com/endpoint/the-architecture-of-the-web-is-unsafe-for-todays-world/a/d-id/1328529 Dark Reading (4/19/2017)

[5] OCIE: Observations from Cybersecurity Examinations – https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf (2017)

[6] Xavier de Carné de Carnavalet and Mohammad Mannan: Killed by Proxy: Analyzing Client-end TLS Interception Software – http://users.encs.concordia.ca/~mmannan/publications/ssl-interception-ndss2016.pdf (Research Paper) Concordia University, Montreal, Canada (2016)

[7] OCIE: Observations from Cybersecurity Examinations – https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf (2017)

[8] Control and Compliance in Regulated Securities Investment Firms: What Regulators Want to See – https://www.dropbox.com/s/0mqjt15llrp6bi7/2018-11-26%20Control%20%26%20Compliance%20in%20Regulated%20Securities%20Investment%20Firms.pdf (11/2018)


Tags: Data BreachGDPRSEC
Previous Post

Best of 2018: Top Banking Regulations & Security Compliance Requirements

Next Post

TRACE: The World Bank – Working with SMEs After Misconduct

John Klassen

John Klassen

John Klassen is Product Marketing Manager at Authentic8, maker of Silo, the browser in the cloud that ensures compliance and control for the world’s most demanding firms in regulated industries.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

call of duty activision

Activision Settlement Highlights Where Companies Often Go Wrong With Whistleblowers

by Katherine Krems
March 8, 2023

The SEC has long relied on whistleblowers to enforce securities law, often making it worth their while to the tune...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

esg sec clawback confusion

Unpacking the SEC’s Executive Compensation Clawback Rule

by John Peiserich
January 4, 2023

The SEC has finalized its long-awaited clawback policy mandated by the Dodd-Frank Act, issuing final rules that are scheduled to...

Next Post
world bank logo on building in Washington D.C.

TRACE: The World Bank – Working with SMEs After Misconduct

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT