Implementing Cybersecurity Guidance
Cyber attack incidents have only continued to grow since the SEC’s Office of Compliance and Investigations (OCIE) began conducting examinations of investment managers to assess cyber attack vulnerability. Since the initial examinations began, several alerts and guidance updates have been released by the SEC and other regulatory organizations, such as FINRA. With so much information circulating, it can be challenging to understand exactly which steps to take when establishing a cybersecurity plan. Today, we explain four common cybersecurity best practices and how to implement them at your firm.
A firm’s cybersecurity policies and procedures should be documented in a formal, written plan. The plan should explain exactly how confidential data is being protected. Having a written plan in place helps keep new hires informed of corporate cybersecurity practices, and reduces the risk of human error in the case of employee turnover.
Vendor and Service Provider Due Diligence
Third party service providers are a huge security threat that is often forgotten about. When enlisting the support or a vendor of service provider, it’s important to vet their security practices. Considering that a third party could hold vast amounts of your firm’s data at any one time, the potential consequences of a breach are immense. Your vendor management program should consider the providers’ financials, contracts, risks, and cybersecurity preparedness as critical evaluation factors.
Incident Response Plans
Incident response plans define the procedures in the case of a cybersecurity breach or threat. The plan should take into account which individuals or departments will responsible for specific tasks, in addition to how to decide when to report the incident to necessary third parties such as clients and regulators.
Employee Cybersecurity Training
Human error is one of the most common causes of cybersecurity breaches. To mitigate this risk, it’s critical to conduct training on firm cybersecurity policies and procedures at least once per year. The training should teach employees about firm risks, cybersecurity best practices, and how they should respond to potential threats.