This month, NHS London was victim to a brutal cyberattack, forcing admin to cancel operations and transfer emergency patients to alternative centres immediately. Among those affected are some of the best-known hospitals in the country, such as King’s College Hospital, Guy’s and St Thomas, and, unfortunately, the Evelina London Children’s Hospital and the Royal Brompton.
However, this problem is a familiar one. Back in 2020, the first death by ransomware was ruled in Düsseldorf. An attack paralysed the hospital’s systems to the extent that it was forced to pause all admissions to its A&E department. This resulted in hospital staff frantically diverting inpatients to a city 19 miles away, proving fatal for one woman. Then, in August 2022, the UK’s NHS 111 service was taken offline by a severe cyberattack, also through its supply chain, via its service provider, Advanced, which meant that 40 million people were denied access.
This illustrates the gravity of ransomware attacks on the healthcare sector. In this blog, we will delve deeper into recent trends so your company can maintain agility in the face of ever-evolving and ruthless attacks.
Complex supply chain
Britain’s NHS delivers care to 68 million people and is one of the world’s largest employers, providing work to 1.7 million people. Still, it is behind only the US and Chinese military, Walmart, and McDonald’s. Despite its vast size, it was successfully breached earlier this month and continues to suffer significant disruptions, such as six entire NHS trusts. Many GP practices are spread across southeast London, serving 2 million Brits. This is due to a breach in Synnovis, a private firm that the NHS uses to examine blood tests.
A senior NHS source warned that it would take “many months” to resolve and that it is not yet clear “how the hackers gained access to the system, how many records have been affected and whether these records are retrievable.” As a result, even an entity with the enormous infrastructure of the NHS has been forced to dust off a paper records system, where patients’ information is printed and blood samples hand-delivered by porters.
Already in 2022, the NHS suffered a severe ransomware attack caused by a violation of its Adastra software, which was operated by a third party. Was this a test of the NHS supply chain? This ransomware attack not only caused financial disruption but also distress to patients in the care homes whose data was sold.
Attacks continue. Earlier this year, in March 2024, NHS Dumfries & Galloway was hit by an attack that caused widespread distress and the release of confidential patient data. The implications and investigations of this attack are ongoing, and public concern continues.
Why is the UK healthcare sector so vulnerable?
Martin Lee, Cisco’s UK-based security research lead, warns: “When healthcare systems and data are unavailable, lives are potentially at risk. This makes the sector a tempting target for criminals. Outages put pressure on management to pay off the attackers to restore availability quickly. However, paying the ransom means that these attacks remain profitable and ultimately only serve to encourage further attacks.”
According to a report by Cisco’s Talos threat intelligence division, healthcare providers were the most targeted by ransomware gangs last year. The report attributed this to these organisations having “underfunded budgets for cybersecurity and low downtime tolerance.”
The figures back this up, as this marks the third time that Synlab and Synnovis have been attacked, affecting pathology services across Europe. For example, in June 2023, the ransomware gang Clop breached the French branch and stole data, while earlier this year, Synlab’s Italian subsidiary was hit by a separate ransomware group, Black Basta. The group gained access to around 1.5TB of data and published it in its entirety when no final ransom was paid.
A similar attack was the one on the Finnish mental health giant Vastaamo in 2020, where a copy of all data on the system was sent to the attacker. This included names, addresses, and notes from the therapist on each private session. The work therapists do in dealing with people’s deepest fears and secrets is naturally a very sensitive one, and this attack was devastating for the mental health of its victims. Vastaamo has now ceased trading.
Concerns over the potential escalation of these attacks had been raised in Parliament in 2023, as the increasing use of digital healthcare in the UK means that more critical equipment and systems are connected to the internet, making them a potential target for cybercriminals. However, in a post-COVID world, the use of telemedicine is increasing. In 2023, the NHS began circulating information on ‘Connected Medical Devices’ cyber vulnerabilities to its staff. In February 2024, the World Economic Forum went so far as to name the Healthcare sector as the biggest target for cybercrime due to the critical data it holds and the online devices controlling people’s lives.
How has unpreparedness for attacks recently affected the healthcare sector?
The desperate need to get back online is one of the reasons why 38% of healthcare organisations are reported to have paid a ransomware fee. A 2022 survey of 100 cybersecurity managers in the UK health sector found that 81% of healthcare organisations in the UK had been hit by ransomware in the previous year. Whilst 38% paid the ransom to regain their files, 44% refused to pay and lost their healthcare data. Close to two-thirds (64%) of respondents admitted their organisation had to cancel in-person appointments because of a cyber-attack.
Even unexpected sources can be vulnerable in the healthcare sector. The London Borough of Camden recently warned of a risk to personal data after one of their suppliers of beds, hoists, and grab rails was attacked. Computers attached to MRI machines, CT scanners, blood pressure and heart-rate monitors are vulnerable and provide back doors into connected systems.
How can you protect your business?
These numerous and ruthless attacks serve as another reminder to have the measures in place to prevent you from being caught off guard. The NHS experience illustrates how even large, well-resourced providers can be vulnerable to prolonged disruptions if proper security measures are not in place. The UK government has committed to a series of measures to support healthcare providers by 2030. Still, in the meantime, businesses in the supply chain must take appropriate measures to keep defences high.
At Thrive, we specialise in providing industry-leading cybersecurity solutions tailored to you and your staff’s needs. Our team of experts can work closely with your organisation to identify vulnerabilities, implement robust safeguards, develop incident response plans, and ensure you have the defences to maintain operational resilience in the face of ransomware and other malicious attacks.
Don’t leave your systems, data, and, most importantly, your patients at risk. Contact Thrive today to learn how we can fortify your company and give you the peace of mind to continue delivering essential services without disruption. Protect your operations, reputation, and ability to contribute to life-saving care with Thrive as your trusted cybersecurity partner.
Strengthening Financial IT Resilience: Navigating DORA Compliance with Thrive (Part 1)Overview:
The Digital Operational Resilience Act (DORA) was enacted on January 16, 2023, and will be enforced starting January 17, 2025.
DORA aims to ensure the IT resilience and security of any financial entity (FE) in Europe and their ICT providers, including banks, crypto, insurance, and investment firms, even during severe operational impacts like denial of service (DDoS) cyber-attacks and ransomware. Thrive can assist in the key areas that support compliance with DORA.
Third-Party Risk Management:
For DORA, this is the most significant and underestimated work for firms with the usual resilience. DORA mandates the analysis, contractual documentation, and management of third-party risks. Thrive enhances security by ensuring essential third-party providers are evaluated, documented, approved, monitored, and managed.
Oversight of Critical Third-Party Providers:
DORA requires an oversight framework for critical third-party providers. Thrive enhances transparency and accountability within this ecosystem, ensuring essential services remain accessible under challenging circumstances.
Incident Response and Reporting:
Thrive facilitates comprehensive incident response processes, enabling IT teams to troubleshoot devices promptly, diagnose issues, mitigate and remediate systems, apply patches, and recover systems. This also helps to ensure timely reporting and resolution of operational disruptions.
Testing and Resilience Assessment:
Thrive supports complete digital operational resilience testing or disaster recovery and business continuity in existing terms. Testing these plans helps institutions evaluate the effectiveness of alternative processes and seamlessly switch to secondary methods during disruptions.
Audit Trails and Logs:
Thrive generates detailed audit trails and logs of user activities, assisting organisations in demonstrating compliance with DORA’s requirements. This will also facilitate information sharing around threats seen or experienced, particularly zero-day attacks.
Responsibility and Accountability (i.e. Governance):
DORA establishes clear responsibility for operational resilience at the highest levels of a firm, including the Board and senior executives (CxOs). They play a crucial role in implementing DORA’s essential components.
Critical Plans (i.e. Risk Management Framework):
Board members and senior executives will need to approve critical plans related to operational resilience. These plans include the firm’s digital operational resilience strategy and its policy regarding ICT Third Parties (TPs). DORA is acknowledged as best suited to ISO 27001 – more on this in part 3 of this blog series.
Daily Operations:
Senior leaders are also responsible for making decisions integrating DORA’s requirements into the firm’s day-to-day operations. This involves setting risk tolerance levels and prioritising actions to address identified operational vulnerabilities.
In simpler terms, DORA ensures that financial institutions and technology partners are well-prepared to effectively handle disruptions and cyber risks. It’s all about making sure our FEs stay strong and resilient!
Part 2 of this blog series will examine the EU’s process to get to where we are from the initial 2023 effective date. The EU set up numerous European consultations with FEs and conducted dry runs with well-known participants, particularly on the third-party risk management process and expectations. Feedback is contained in many fascinating spreadsheet entries. Many lessons have been learnt and challenges raised, where the EU believes that requirements are reasonable, but the industry may have alternative views.
Responses to public consultations on DORA 1st batch.xlsx (live.com)
In conclusion, Thrive is crucial in bolstering our client’s operational resilience through our own operationally resilient platform and business, reducing dependency on single systems, teams, or procedures, and enhancing risk management in the financial sector in alignment with DORA’s objectives.
Graphic Source: https://kpmg.com/lu/en/blogs/home/posts/2023/04/dora-regulation-all-your-questions-answered.html
New VMware Licensing Changes under Broadcom create Choppy WatersAs everyone navigates the future of VMware within Broadcom, and the economic impact of their much-publicized price hikes, please lean on Thrive to help re-architect your cloud strategy for greater technology ROI. As one of the largest VMware Cloud Providers in the world, with more than a dozen Global Cloud nodes in Tier IV datacenters, Thrive has the technical expertise and available resources to design complex project plans to migrate large workloads.
We have been formally selected as a Premier Level Broadcom Advantage Partner. As a Premier Partner, Thrive will continue to offer secure VMware-powered Cloud Solutions that span from Dedicated Private Cloud to fully managed Multi-Tenant Cloud to self-managed Infrastructure-as-a-Service (IaaS). Thrive’s Cloud offerings provide attractive alternatives to companies who are running on-premises or datacenter workloads, and who have been impacted by the Broadcom licensing changes.
Major Considerations for Migrating to ThriveCloud:
- Security, predictability, and resiliency
- Increased productivity while receiving concierge-type managed support
- Lower, predictable costs, leveraging Thrive’s subject matter experts
- IaaS self-managed Options
Secure
On-prem servers are more difficult to protect and are often the “low-hanging fruit” for cyber-attacks with recent stats suggesting a 20% higher target rate. Thrive’s Cloud Services are protected by our 24x7x365 eyes on glass Global SOC with standard Virtual Firewalls, IDS/IPS, EDR, SIEM, Zero-Trust, Vulnerability Protection & other cybersecurity options.
Resilient
Fully Redundant Tier IV Datacenters, VMware Architecture with DR & Replication options around the Globe. Download our Client Resiliency Checklist to learn more.
Scalability & Flexibility
Thrive recognizes that a single Cloud option may not be sufficient to meet your clients’ needs. Instead, we embrace the idea of a multi-cloud environment, leveraging Private, Public, and Software-as-a-Service (SaaS) cloud platforms to offer high performance, scalable, and reliable options to meet every business’ mission critical needs on demand.
For organizations looking to implement new application hosting strategies quickly, Thrive is ready to engage as your trusted virtualization partner of choice. Our expert team will work with you to design the solution that best fits your needs and budget.
Please select “ThriveCloud 24” in the requested services dropdown to learn about our zero upfront cost migrations. Reach out today
Organizations are Striving to Maximize Cyber ResilienceFrom the daunting task of navigating stringent security regulations and ever-evolving compliance requirements to the constant, looming threat of cyberattacks, organizations often feel like they’re in a constant battle. The need for strategic expertise and guidance in such a challenging climate is undeniable. Yet, hiring a full-time Chief Information Security Officer (CISO) is a daunting prospect for many organizations, often due to resource limitations.
Overcoming the IT skills gap and maintaining a secure businessTechnology continues evolving and advancing at a rapid speed, ringing in unparalleled opportunities, but also creating new vulnerabilities. With this comes the demand for a workforce equipped with up-to-date skills to counter emerging threats. However, the pace of skill acquisition often lags the evolving threat landscape – opening organizations to increased risks.
Unexpected Cyber Threats Put Housing Associations and Tenants at RiskHousing associations across the UK increasingly find themselves in the crosshairs of highly skilled cybercriminals. According to RSM UK, a whopping quarter of housing associations have suffered an attack in the last 12 months. This tidal wave of high-profile attacks has exposed – how vulnerable these organisations can be to data breaches, ransomware, and system disruptions. With many housing providers handling sensitive data on tens of thousands of UK tenants, the stakes could not be higher.
Not just compromised data
Clarion Housing Association – the country’s largest with over 125,000 homes – was struck by a major cyber-attack that crippled both its IT systems and phone lines. While the full extent of the breach remains unknown, Clarion warned tenants that their data may have been compromised. The incident follows similar attacks in recent years on housing providers like Bromford and Connexus (the latter needs to be clarified about the amount of tenant data stolen) and local councils that manage public housing.
The effects of these cyber incidents are severe and widespread. For tenants, they put their private information – such as financial records and contact details – at risk of being exposed or held for ransom by criminals. Housing services can halt, making reporting maintenance issues or making rent payments impossible. At best, this poses a significant inconvenience for tenants, landlords and organisations alike. Or, at worst, a threat to housing security for some of the UK’s most vulnerable people in society, such as the elderly, disabled and low-income population.
Not hours… but days or even weeks for recovery
Successful breaches lead to costly downtimes, lengthy reparation procedures, potential ransom payments, penalties from bodies such as the ICO for failure to protect citizens’ data, and highly long-lasting reputational damage. For example, the Bromford attack took days to recover, while a council in South West England is still working to fully restore its systems two years later, having shelled out hundreds of thousands of pounds. Many entities cannot afford these major financial blows and operational disruptions, especially during the current cost of living crisis.
So, why are housing associations such an attractive target for cybercriminals? And what can be done to better shield the sector against escalating threats?
The vulnerabilities of businesses holding sensitive data
A key factor making housing associations a lucrative target is their heavy digital footprint and the sheer volume of sensitive data they hold online. As organisations embrace the digital world to provide modern online services and store data effortlessly, they exponentially increase the potential attack vectors that cybercriminals can exploit. More smart home and office technology, online customer portals, and web-connected devices mean more endpoints to be secured. Moreover, criminals also perceive housing associations as having weaker cyber defences than other sectors. Budgetary constraints often prevent robust investments in cyber security measures and IT teams. The survey from RSM UK found a shocking 75% of housing associations felt underprepared to deal with ransomware attacks.
The data itself is also precious on the dark web. Housing records contain a treasure trove of personal information on tenants, including contact details, financial data, and home addresses, that can be used for follow-on phishing, fraud, and even physical home break-ins. Analysts estimate cybercrime costs the British economy £27 billion annually, providing ample incentive for criminals to target housing associations.
Deliver the reassurance that tenants crave
While facing this escalating risk, housing associations must take proactive steps to prioritise cyber security and safeguard their systems, data, operations and customers. This goes beyond achieving minimum compliance standards to adopt a comprehensive, vigilant security stance.
Crucial capabilities include steadfast threat monitoring and vulnerability scanning to identify and patch security gaps before cybercriminals can exploit them. 24/7 security operations centre (SOC) services can provide cost-effective, round-the-clock monitoring that most housing associations lack in-house and the reassurance tenants crave. Penetration testing is also vital, potentially using certified ethical hackers to probe for vulnerabilities from an attacker’s perspective. Combining this offensive approach with defensive meticulous cyber hygiene like software updates, multi-factor authentication, and data encryption makes it infinitely more complex for real-world criminals to carry out a breach successfully.
Regular security awareness training must also be provided to educate employees on evolving threat vectors like phishing, which remains the most common initial attack vector: human error and a lack of cyber awareness among staff open doors for cybercriminals to explore.
Another major weakness is third-party vendors and supply chains, which criminals often use as indirect attack routes to targets. Housing associations must implement strict vetting processes and security requirements for all suppliers and partners.
Predefined and practised working protocols
Housing associations must have comprehensive incident response and disaster recovery plans ahead of time. When attacks inevitably occur, having predefined protocols regarding containment, recovery, and communication is critical to minimising damages and restoring operations as quickly as possible. Too many housing associations have learned the hard way through devastating cyberattacks in recent years. However, by treating cybersecurity as an essential business imperative rather than an afterthought, these organisations can avoid escalating threats and better secure their systems, data, staff, and tenants. With dwindling budgets available during the current cost crunch, providers need partners that deeply understand their challenges and can strategically align services to their priorities.
No organisation is immune to cyber threats in today’s hyper-connected world. But, through concrete investments and strategic partnerships, housing associations can dramatically improve their cyber resilience and focus on their core missions of providing safe, reliable homes and services to all who need them.
At Thrive, we specialise in delivering tailored cybersecurity solutions designed for housing associations’ unique challenges.
The need for action is clear.
Don’t allow your housing association to become another cybercrime statistic. Contact Thrive today so we can work alongside you to comprehensively safeguard your systems, data, team, and tenant community with cutting-edge cybersecurity services. Using our CIS-aligned frameworks we allow you to provide your services with inbuilt peace of mind.
Thrive Spotlight: Eric Thompson – VP, Cloud InfrastructureWelcome back to another installment of our “Thrive Spotlight” blog series.
Our featured employee is Eric Thompson, VP of Cloud Infrastructure. As VP of Cloud Infrastructure, he is responsible for our datacenter operations, backup solutions, and disaster recovery for our clients. He has had many roles since he started with Thrive as a Tier 1 onsite engineer.
Eric lives in the Boston, Massachusetts area and works out of our Woburn office. Outside of work, he enjoys spending time with his family skiing, camping, biking, or other outdoor activities. Like most engineers, he enjoys tinkering with different tech for his house.
Hi Eric! Can you tell us about your background and how you came to Thrive?
I initially interviewed with Thrive in college and then later interviewed in the original Concord office. The MSP space seemed like a great way to get exposure to all different technologies and businesses.
Where did you go to school or get training?
I graduated from Bryant College in 2004. Since attending, the school is now named Bryant University.
What do you most enjoy about working for Thrive?
Thrive is a fast-paced environment and no two days are ever the same. Technology is everchanging so that keeps any challenges fresh and engaging. I also enjoy the people I work with at Thrive, they enjoy what they do which makes Thrive a great place to work.
Are there any recent exciting projects at Thrive you can tell us about?
Currently, I am working on modernizing our Cloud offering with VMware NSX-T and VMware Cloud Director.
Are you interested in learning more about Thrive? Click here!
Don’t forget to follow us on Twitter and LinkedIn for the latest news, and continue checking our blog for more in our “Thrive Employee Spotlight” series. Until next time…
Thrive Enables Businesses to Stay Primed With Modern, Digital Infrastructure at a Manageable CostThrive helps businesses across industries find the right infrastructure and cybersecurity solutions to modernize their systems and stay secure. Its solutions are affordable, powerful, and customizable to fit any business environment. The team also partners with clients to ensure all their needs are met. We spoke with Rob Stephenson, CEO of Thrive, about the platform and its unique benefits.
SEC Unveils New Look for Regulation S-P: What Your Organization Needs to KnowThrive is continuously monitoring changes in the regulatory environment to ensure we are prepared to help our clients achieve and maintain compliance. The U.S. Securities and Exchange Commission (SEC) adopted updates to Regulation S-P (Reg S-P) on May 15, 2024, and set the effective compliance deadlines at 18 and 24 months depending on organization size (see Table 3 under Section II.F of the final rule for size definitions). Regulation S-P specifies how covered institutions are required to protect consumer financial and personal information under the Safeguards Rule, and how covered entities should securely dispose of covered information under the Disposal Rule (collectively “Rule(s)” herein). This post provides a synopsis of the key rule elements and corresponding practices and technologies that can enable compliance. The changes are “designed to modernize and enhance the protection of consumer financial information” via three primary updates including:
- Requiring Incident Response Plan (IRP) policies and procedures.
- Mandating “timely” notification to affected individuals after a sensitive information breach.
- Expanding the scope of information and entities covered under the Rule.¹
Many covered entities have already begun adjusting their information security and compliance strategies over the past few years in light of elevated regulatory activity from the SEC which includes multiple proposals specifically focused on addressing information technology and cybersecurity risks. While there aren’t any surprises in the Regulation S-P updates, organizations subject to the rule should now evaluate their current practices to ensure alignment from a policy, technical capability, and operational perspective.
Incident Response Plan (IRP) Requirements
The adopted changes require implementation of an “incident response program for unauthorized access to or use of customer information, including customer notification procedures” that are reasonably designed to “detect, respond to, and recover from” unauthorized access and use of consumer financial information.² A comprehensive incident response program is rooted in an accurately scoped policy, enabled by appropriate technology implementation(s), and maintained by complementary operational processes.
Policy
An IRP is a written document formally approved by management that outlines the types of cyber threats the business is likely to face and what controls are in place for detecting, responding, and recovering from these events. A risk-based approach is important when designing an IRP and organizations should first perform activities such as data classification and business impact analysis to ensure the policy is appropriately scoped.
With respect to Reg S-P specifically, covered entities should identify what type(s) of covered information they collect, where this data is stored, and what data protection and access controls are in place. The updated rules explicitly require a scope that enables assessment of “the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of information that may have been accessed or used without authorization”.² Of course, the IRP should include the entire business entity, but understanding where the critical data and information assets reside is an important precursor to designing an appropriate layered defense model and establishing compliance with the updated regulation.
Technical Implementation
Technical controls supporting the IRP should include detective, preventative, and security measures applied and configured specifically to the organization’s environment. There is no “one size fits all” approach which is why having an accurately defined policy is fundamental to appropriately selecting and deploying technical safeguards. Common deployments include (but aren’t limited to):
- Data Security: encryption (at rest and in transit), access controls, network segmentation, data governance monitoring, and data loss prevention (DLP) mechanisms such as blocking removable media and monitoring outbound communications for unprotected sensitive data. Organizations should also ensure secure data disposal and destruction mechanisms are in place to ensure discarded media does not result in unauthorized access exposure.
- Asset Security: Next-generation asset-based solutions such as Endpoint Detection and Response (EDR) software provide live monitoring on user assets across the environment and proactively detecting, preventing, and alerting on malicious threat vectors. Additionally, hard drive encryption is natively built into many modern operating systems, while agent-based applications can ensure devices remain up to date (e.g., RMM) and restrict the types of connections or applications permitted on managed devices (e.g., URL filtering, restricting local administrative rights, hardening configurations to disable unused ports/protocols).
- Network Security: Networks (including the office(s), data centers, and/or cloud/SaaS environments) must be protected via appropriate threat detection and capabilities. Solutions include Managed Detection and Response (MDR), Extended Detection and Response (XDR), conditional access, Identity and Access Management (IAM), enterprise firewalls, and zero trust architecture (ZTA). Log aggregation and secure storage is also important to enable forensic examination and accurate reporting if a material incident occurs.
- Availability / Recovery: Incidents still can (and will) happen even with best-of-breed security solutions in place and it’s important that the business can efficiently recover when they do. Solutions that enable system availability include backups, geographically diverse disaster recovery (DR) environments, and high availability cloud configurations.
Operational Considerations
Having the right skilled resources in place to design and implement appropriate controls and write policy is where compliance with Reg S-P begins, but ongoing monitoring and response is where the value is continually delivered. Organizations should ensure that resources receiving and monitoring the output of technical detective and preventative systems – whether in house or outsourced – are suitably trained to interpret the data and take corresponding actions when anomalous or malicious activity is detected. Many organizations choose to work with an outsourcing partner (e.g. MSSP) that provides 24×7 Security Operations Center (SOC) monitoring and incident response services.
Breach Notification
The updated regulation also mandates that the incident response programs include mechanisms to notify affected individuals “whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization”.² Prominently, the same clause also states that notification is not required if “after a reasonable investigation…the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience”.²
Meeting this requirement requires careful analysis from multiple stakeholders, including legal, operations, and information technology; however, organizations must have foundational elements referenced above – specifically mechanisms/products such as data classification, data governance, data protections, and security monitoring/logging/reporting – in place to analyze in the first place. A gap or weakness in any of these areas may preclude an organization from justifying a reporting exemption or providing an accurate disclosure of events. If an organization cannot validate which system and data assets were impacted by a cyber incident, they may need to provide a breach notification to all (current and former) customers.
Breach Notification Timeline
The updated regulation will also require a “clear and conspicuous notice to affected individuals” by means “designed to ensure that the individual can reasonably be expected to receive actual notice in writing”.² Importantly, there is now a 30-day shot clock on providing the notification with exceptions only if the U.S. Attorney General has determined that providing such a notice would “pose a substantial risk to national security or public safety”.² There are also specific notice standards (Section II.A.3a in the Final Rule) that organizations should be aware of with regard to determining if a notice is required and methods for complying with the notification mandate under various circumstances. Sections II.A.3b&c also provide additional clarity with respect to defining “sensitive customer information” and “substantial harm or inconvenience” respectively that should be reviewed when developing mechanisms for analyzing if a notification is required under the organization’s IRP.
Scope Adjustments
The final Rule also includes adjustments that broaden both the scope of entities covered under required activities and the scope of data assets.
Service Providers
Of course, service providers are not brought under the SEC’s regulatory jurisdiction via the updated Rules (with respect to those that are not already covered entities). However, the Reg S-P update does incorporate requirements with respect to the covered organization’s IRP development to include:
a. appropriate measures for ensuring service providers are protecting covered information,
b. and for covered organizations to establish mechanisms for receiving notifications from service providers if the service provider experiences a breach impacting covered information.
The maximum allowable timeframe for service providers to provide notification is defined as 72-hours in the updated final text. Covered organizations should work with service providers to determine appropriate mechanisms designed to ensure receipt of such notifications within the compliance time limit. This mandate again highlights the critical importance of conducting thorough data classification and related analysis which enable organizations to easily map which third parties are in scope when it comes to covered information. Additionally, receipt of a service provider notification should automatically trigger the covered organization’s IRP including analysis of whether client notification is required.
Definitions of Covered Information and Covered Entities
The updated regulation broadens the scope of protected information to include a new term of “customer information” (replacing the term “customer records and information”) which is defined as “any record containing nonpublic personal information as defined in Section 248.3I3 about a customer of a financial institution, whether in paper, electronic, or other form”.² These records apply to any “information that a covered institution maintains or otherwise possesses for a business purpose” – businesses subject to the regulation should ensure the scope of their data classification exercises is appropriately adjusted to include all such information that may fit into this category. The broadened scope now applies to information the organization may have obtained about customers and non-customers that the organization may have been provided through the course of other business relationships. This change is intended to provide additional consistency with the Gramm-Leach-Bliley Act (GLBA) which imposes similar and overlapping requirements in some situations. Importantly, the SEC notes that these obligations of protection extend throughout the lifecycle of the information and include secure disposal, further underscoring the importance of a well-defined secure destruction and disposal process.
In addition to the information scope changes, the update extends applicability of Regulation S-P to include transfer agents since they maintain detailed covered information related to securities holders.
A Note on Recordkeeping
Reg S-P updates also incorporate new recordkeeping requirements pertaining to “written records documenting compliance with the requirements of the safeguards rule and of the disposal rule”.² The timeframes vary for different entity types, and covered organizations should review Table 1 under Section II.C of the final rule for information relevant to their entity designation.
How Can Thrive Help?
Thrive delivers global technology outsourcing for cybersecurity, Cloud, networking, and other complex IT requirements. Thrive’s NextGen platform enables customers to increase business efficiencies through standardization, scalability, and automation, delivering oversized technology returns on investment (ROI). They accomplish this with advisory services, vCISO, vCIO, consulting, project implementation, solution architects, and a best-in-class subscription-based technology platform. Thrive delivers exceptional high-touch service through its POD approach of subject matter experts and global 24x7x365 SOC, NOC, and centralized services teams. Learn more at www.thrivenextgen.com.
Disclaimer: Nothing herein shall constitute legal advice, compliance directives, or otherwise. Covered entities should consult an attorney and/or other compliance professional regarding their organizations’ compliance obligations, including, without limitation, the regulations described herein.
Source Information:
1 – https://www.sec.gov/files/34-100155-fact-sheet.pdf
2 – https://www.sec.gov/files/rules/final/2024/34-100155.pdf
How IT outsourcing allows Hedge Funds to maintain top performance for their funds and their investorsWhile the performance in 2024 has been moderately positive year-to-date, the hedge fund industry faces the challenge of safeguarding these gains against a multitude of domestic and international factors that remain at play for both your Prime Broker (PB) and IT provider. Both are aligned with your success in risk mitigation and their mutual cooperation couldn’t be more important. As the only global IT provider from the HF industry, Thrive recognizes the cooperative roles each entity plays in ensuring the safety of a well-performing fund for the benefit of your investors.
Alignment for Better Business Outcomes
At the core of any risk strategy lies the identification and assessment of risks. For your PB, real-time consideration of portfolio risks and periodic reviews of operational risks is essential. Since leverage has plateaued since 2008 (affecting fee generation), managing risk is pivotal for a healthy PB relationship. Balancing the quality of your portfolio to allow for an optimized margin balance will be something everyone wants and will be based on a number of factors you can evaluate such as correlation risk, historic sharpe ratio, derivative pricing confidence, collateral quality, counterparty credit worthiness among others. This falls largely on the COO or CFO, and their operations team to ensure the most beneficial and accurate treatment is being extended to the firm. Meanwhile, consider that your IT provider is similarly aligned with your fund’s success, of course farther removed from your portfolio details, while being intimate with the tools, connectivity, and counterparties that you depend on.
Qualification of a Managed Security Services Provider (MSSP)
In today’s landscape, IT providers must resemble cybersecurity businesses (MSSPs) to succeed. Most platforms default to convenient configurations rather than secure ones, prompting the SEC to mandate inventorying these data points from an IT risk perspective. While your engagement policies may appear as checkboxes to auditors, real-time anomaly reporting against these policies is fundamental for responsible competition and scaling in the multi-cloud environment. Over the years, top IT providers like Thrive (through its acquisition of Edge Technology) and premier PBs have collaborated to set reasonable standards that protect market interests. Prior to the pandemic, we led a campaign together with a global prime broker to enforce encrypted communication via TLS across common client mail systems, as this was a standard practice we encouraged with most clients. Together that raised an important awareness and potentially thwarted some amount of phishing while people learned to become better trained.
However, the recurrent nature of the cybersecurity topic now verges dangerously close to echoing a broken record, even as its significance remains paramount. We observe a shift from ransom-focused malware to outright wipe-ware, emphasizing the need for robust security measures as motivations go from ransom to outright harmful intent by coordinated state-actors. At Thrive, we advocate for a mesh of security services that provide real-time event generation and response, extending network and domain policies beyond office boundaries to multi-cloud services using Secure Web Gateways. Today’s rate of easy adoption of many young emerging technologies is both promising and eerily similar to showing the same weaknesses of the earlier industry. Wrapping a mesh of security around these younger offerings enables the same balancing act can be achieved and a competitive fund can leverage newer technologies with more confidence. While technology lacks a UL listing, a balanced practitioner’s approach can maintain top performance for you and your investors.
Feel free to reach out if you would like to learn more about technology outsourcing for financial services. Our team of subject matter experts are ready to help you meet your desired business outcomes.