New SEC Compliance Unit Forms to Examine Private Equity and Hedge Funds
In a Risk Alert published in April, the Office of Compliance Inspections and Examinations (OCIE) announced plans to examine the cybersecurity practices of more than 50 registered broker-dealers and investment advisers to protect investors and capital markets from cybersecurity threats. The results of the OCIE examinations will shed light on where investment firms are lacking in their security practices and what they need to do to improve them.
No matter when or if compliance requirements ever follow the exam, it’s important to remember that compliance does not necessarily mean that a network has been secured properly. Compliance requirements are only guidelines for securing a network. Rather than focusing on a cybersecurity exam or possible new requirements, organizations should first concentrate on securing their network. Then, satisfying cybersecurity requirements easily fall into place.
Although there are no compliance requirements now for hedge funds, becoming familiar with the current Payment Card Industry Data Security Standards (PCI DSS) requirements could be a great place to start analyzing your security. The requirements, which serve as a good guideline for cybersecurity, won’t all be relevant to your network. However, the majority of them will be, and you’ll learn a good bit about what it takes to secure a network. It’s difficult to understand the requirements and the best ways to secure your network, so you should consider working with a third-party security consultant or Qualified Security Assessor (QSA) to help you with both. A nonbiased third-party cybersecurity expert who sells no products and often works with organizations in your industry may have knowledge of vulnerabilities and ways to address them that your internal team has either overlooked or is simply unaware of. A good consultant should be an expert in network architecture, threats, network protection, network policies and business operations within your industry so your company can work together as a cohesive unit.
However strong your security is, you need to be sure vendors that interact with your network practice cybersecurity as strongly as your company does since you are only as secure as your weakest link.
Basic security considerations should also consist of the following items:
Web application tests to see how easily applications can be broken into using simple hacking techniques.
Security Awareness Training to teach all employees about security precautions they need to take daily.
Policy enforcements that physically prohibiting anyone from using flash drives, disks, or other devices that could carry malware on them.
Endpoint Threat Detection, which allows you to discover compromises on your
endpoints (laptops andwork stations) and expel attackers from your network before damage is done.
24/7 Network Monitoring to detect attackers as soon as they break into your network.
The April 15, 2014, OCIE identification of risks includes the following items, all of which you should have on hand:
A copy of cybersecurity policies and procedures
A copy of cybersecurity controls, including written guidance and periodic employee training on information security risks and responsibilities
A copy of your Computer Security Incident Response Plan
A copy of your procedures for assessing cybersecurity risks posed by third-party contractors and vendors
Information on your network monitoring practices to spot unauthorized activity on your networks and devices
A copy of your procedures for penetration testing and vulnerability scans to improve your defensive measures
Even if the SEC never implements new cybersecurity requirements for hedge funds, shoring up your IT security now can protect your company’s finances and those of your customers.
Dell SecureWorks, a global information services security company, helps organizations of all sizes reduce risk, improve regulatory compliance and lower their IT security costs.
By Jeff Multz, director, North America Midmarket Sales, Dell SecureWorks