SEC CY­BER­SE­CU­RITY PUNCH LIST

Financial Planning - - PRACTICE -

The SEC has made no se­cret it ex­pects ad­vi­sors and bro­kers to ramp up their poli­cies and pro­ce­dures to guard against cy­ber­at­tacks. Now, af­ter a second wave of ex­am­i­na­tions focusing on firms’ de­fenses, the com­mis­sion’s Of­fice of Com­pli­ance In­spec­tions and Ex­am­i­na­tions has pro­duced a risk alert de­tail­ing the do’s and don’ts for firms.

KNOW YOUR WEAK­NESSES

OCIE ex­am­in­ers praise firms that have “taken a com­plete in­ven­tory” of their data and in­for­ma­tion as­sets, and iden­ti­fied the po­ten­tial risks to their sys­tems, in­clud­ing those that could arise from third-party ven­dors.

STICK TO THE PLAN

While al­most every firm con­ducted some type of risk as­sess­ment, SEC ex­am­in­ers found that some were fail­ing to ad­here to their own poli­cies. For ex­am­ple, many firms had poli­cies calling for an­nual or on­go­ing se­cu­rity re­views, but in prac­tice con­ducted those eval­u­a­tions less fre­quently.

MAKE IT SPE­CIFIC

Too many firms seem to be re­ly­ing on off-the-shelf check box com­pli­ance pro­grams that are down­loaded from the in­ter­net, OCIE ex­am­in­ers found. Some firms were re­ly­ing on poli­cies that were vague and not “rea­son­ably tai­lored” to the firm’s op­er­a­tions, mean­ing they were of limited value.

SET YOUR STAFF STRAIGHT

OCIE found that some firms “cre­ated con­tra­dic­tory or con­fus­ing in­struc­tions for em­ploy­ees” that could put cy­ber­se­cu­rity con­cerns at odds with the busi­ness op­er­a­tions. In par­tic­u­lar, the com­mis­sion learned that some firms strug­gled with in­con­sis­tent poli­cies gov­ern­ing re­mote client ac­cess and trans­fer­ring funds.

FOL­LOW THROUGH ON EM­PLOYEE TRAIN­ING

While firms typ­i­cally re­quired em­ploy­ees to un­dergo cy­ber­se­cu­rity train­ing, OCIE found that some did not ac­tu­ally en­sure that those ses­sions were com­pleted.

KEEP TECH­NOL­OGY UP TO DATE

Some firms were fall­ing down on sys­tem main­te­nance, the OCIE re­ported. They used older, un­patched op­er­at­ing sys­tems and failed to ad­dress the vul­ner­a­bil­i­ties iden­ti­fied in the pen­e­tra­tion tests that they con­ducted.

LOCK DOWN AC­CESS TO SYS­TEMS AND DATA

The firms that main­tained strict poli­cies gov­ern­ing who has ac­cess to what type of data were ahead of the game on cy­ber­se­cu­rity, the OCIE found. Suc­cess­ful prac­tices in­clude “ac­cept­able use” poli­cies clar­i­fy­ing em­ploy­ees’ re­spon­si­bil­i­ties when us­ing com­pany sys­tems, and promptly shut­ting down ac­cess for em­ploy­ees when they leave the firm.

HAVE A RE­SPONSE PLAN

OCIE praised firms that had a plan for how to re­spond to a cy­ber­at­tack. If hack­ers breach sys­tems and com­pro­mise sen­si­tive in­for­ma­tion, the firm can min­i­mize the dam­age by hav­ing a pro­to­col for what ac­tions to take and whom to con­tact.

SET THE TONE FROM THE TOP

OCIE in­di­cated that mem­bers of a firm’s se­nior man­age­ment must be in­volved in vet­ting and ap­prov­ing cy­ber­se­cu­rity poli­cies and pro­ce­dures. In other words, cy­ber­se­cu­rity must be con­sid­ered first and fore­most a busi­ness pri­or­ity.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.