Please Surf Responsibly: Drawbridge’s Best Practices for Building a Safer Internet

February 11, 2020

Safer Internet Day – February 11, 2020

The key to teaching your children and teens about Internet Safety is: Start NOW

Safer internet Day, a worldwide event observed on February 11th, aims to promote the safe and positive use of digital technology for all users – especially children and teens.

Drawbridge’s mission is to keep organizations – and individuals – safe and secure. One of the most vulnerable facets in any cybersecurity program is human error. Children and teens, often due to their innocence, curiosity, are desire for independence, are prime targets for security attacks and inadvertent breaches, from hackers and peers alike. The best solution for human vulnerability at any age is education and proper training, as early as possible.

This year’s Safer Internet Day theme—Together for a better internet—encourages everyone to play their part in creating a safer, more secure internet. Adults and organizations must work hand in hand with children and teens to increase awareness about internet safety. With proper practices in place, we can all forge a safer and smarter internet landscape.

To build a safer cyberspace for children, teens, and adults, the Cybersecurity and Infrastructure Security Agency (CISA) encourages all people to view the Safer Internet Day website and the following tips for children, for teens, and for cyber-bullying prevention. (more…)

Drawbridge’s Keys to Privacy

January 28, 2020

Checklist for Alternative Investment Managers

Data Privacy Day – celebrated on January 28 – brings awareness to the private sector around the safety of personal data and best practices for protecting one’s own data.

For Alternative Investment Managers, concerns around data safety and protection of their firm’s data cannot be highlighted just one day a year – it must be a constant focus.

As 2020 kicks off, having a robust data privacy program and 24/7 diligence must be a top priority for every manager. Now more than ever, ensuring the protection of all organizational personal information is crucial for every firm’s professional reputation, and ultimately – success. Regulations like GDPR, CCPA, and Cayman DPL are demanding the highest level of security for confidential data. What’s more, investors are too.

For Drawbridge, privacy is at the core of our mission. We’ve identified the key foundational pillars to build a data privacy program that exceeds regulatory and investor demands:

  1. Identify Key regulations your firm must comply with (GDPR, CCPA, Cayman DPL, etc.)
  2. Ensure your cybersecurity program includes protection of sensitive data – using a privacy module is best
  3. Use our Data Privacy Checklist to ensure every corner of your firm is protected –

Drawbridge’s Privacy Checklist:

    • Review the specific requirements for each relevant regulation
    • Ensure your policies include data classifications
    • Update and review your privacy policy and privacy notice
    • Review your vendor agreements and contracts
    • Conduct data mapping exercises to identify where your critical data resides
    • Clearly outline how critical data is protected

Pressure from regulators – and inevitably, your investors – around privacy will continue ramping up in 2020. Is your organization prepared and protected?



January 27, 2020

SEC OCIE Publishes Observations on Cybersecurity and Resiliency Practices

On Monday, January 27th 2020, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued examination observations related to cybersecurity and operational resiliency practices.

The observations focus on the following areas:

  • Governance and Risk Management
  • Access Rights and Controls
  • Data Loss Prevention
  • Mobile Security
  • Vulnerability Management
  • Incident Response and Resiliency
  • Vendor Management
  • Training and Awareness


Cybersecurity News: SEC & CFTC Update

January 8, 2020

Cybersecurity News Alert


On Tuesday, January 7th 2020, the U.S. Securities and Exchange Commission (the “SEC”) released the examination priorities for 2020. The SEC has shifted their examination priorities from years past in an effort to adapt to emerging risks, but cybersecurity continues to remain a top priority for the SEC. The SEC will be focusing on the following key areas with respect to cybersecurity:

  • Proper configuration of network storage devices
  • Information security governance
  • Retail trading information security
  • Governance and risk management
  • Access controls
  • Data loss prevention
  • Vendor management (this includes cloud based service providers)
  • Training
  • Incident response and resiliency
  • Proper disposal of retired hardware
  • Controls surrounding online access and mobile application access to customer brokerage account information


Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)

July 31, 2019

On July 25, 2019, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) and the Identity Theft Prevention and Mitigation Services Act were signed into law in the State of New York. Both Acts strengthen cybersecurity and consumer privacy protections for New York state residents.


The SHIELD Act amends New York’s breach notification law by:



May 23, 2019

On May 23, 2019, the Securities and Exchange Commission’s (the “SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released a new risk alert identifying security risks associated with the storage of electronic customer records and information in various network storage solutions, including cloud-based storage. Some of the concerns brought to light from recent examinations were misconfigured network storage solutions, inadequate oversight of vendor-provided network storage solutions, and insufficient data classification policies and procedures.

The Risk Alert can be viewed in its entirety here.


May 14, 2019

Yesterday, various governmental agencies and news outlets were made aware of a security vulnerability affecting the WhatsApp messaging platform. The vulnerability may have enabled malicious actor(s) to inject spyware on user devices which potentially exposed user information on mobile devices. WhatsApp has encouraged users to update the application immediately to avoid potential exposure and compromise of data.

To update WhatsApp on various platforms:


Hedge Funds Besieged by Hackers on Daily Basis

May 1, 2019

By David Beach — May 1,2019

Hackers are exploiting inherent weaknesses in mature hedge funds on a daily basis, say a security vendor and the chief technology officer of an established fund, leading to huge boosts in cybersecurity spending.

“Hedge funds are being targeted simply because of cash movements where frequent large transfers are normal at a small business that doesn’t necessarily have all the controls in place,” says Jason Elmer, managing partner at Drawbridge, the cybersecurity consultancy.

For smaller funds, cyber threats have become an ever more daunting prospect as hackers become more efficient and the reputational effects of a breach become more severe, believes Elmer.

“We’ve seen it both sides, investors being targeted via a fund that was spoofed – we saw a capital call of $7m that didn’t go out the door – and we’ve also seen the other side where a wire to an investor has gone out with fraudulent transfer requests,” says Elmer.



April 18, 2019


For individuals using Broadcom Wi-Fi, on April 17, 2019, the CERT Coordination Center (“CERT/CC”) published information identifying various vulnerabilities stemming from the Broadcom ‘w1’ driver and open source ‘brcmfmac’ driver for Broadcom Wi-Fi chipsets. Ultimately, these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on a vulnerable system, most frequently resulting in a denial-of-service (DoS) attack.



April 16, 2019

Today, April 16, 2019, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published a risk alert regarding compliance issues related to Regulation S-P. The focal points identified by the OCIE were the failure to provide customers with privacy and opt-out notices, as well as the failure to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.