Assessing Cybersecurity Preparedness
By George Ralph, Managing Director, RFA
Last week, I wrote a brief post explaining the key focus areas outlined in FINRA’s 2016 Regulatory Examination Priorities Letter, which included culture, conflicts of interest and ethics; supervisions, risk management and controls; liquidity; sales practices, financial and operations controls; and market integrity. This week, I will delve into one of the broadest focus areas for FINRA and one of the most top of mind for our hedge fund and asset management clients: supervisions, risk management, and control of technology infrastructure. When it comes to technology infrastructure, FINRA will be evaluating cybersecurity preparedness by honing in on a firm’s hardware and software, in addition to the personnel tasked with its management.
As I discussed last week, firms must demonstrate compliance with cybersecurity controls and prove that mechanisms are in place to support data quality and governance. They will also need to demonstrate that they have strong vendor management programmes and reporting practices in place. As you begin to evaluate your firm’s cybersecurity preparedness, be sure to focus on the key areas of risk management, data protection and governance, incident response, and vendor management. Read on for a definition of each key areas and some suggested resources to get you started.
Risk is the key driver for every business, and the current status of business risk and proposed mitigation activities should be presented and evaluated regularly. There are only four key methods to manage risk, and these include mitigation, transference, acceptance, and avoidance. Each risk is categorized based on its potential impact.
Learn more about risk management here.
Data is the most important element of any organisation, and as a result, companies of all types and sizes need to understand who uses it, and where and how their data is stored. Data governance and auditing is defined as a group of measures that ensures essential data assets are formally managed throughout an organisation. For hedge funds and investment firms this data can include investor information, investment decisions and other critical firm information. With the growth of unstructured data, which refers to data that is not organised in a specific manner, organisations have needed to develop governance and auditing methods to ensure that they can identify the locations and usage of their critical data pieces.
Learn more about data protection and governance here.
Incident response plans define the procedures in the case of a cybersecurity breach or threat. The plan should take into account which individuals or departments will responsible for specific tasks, in addition to how to decide when to report the incident to necessary third parties such as clients and regulators.
Learn more about incident response here.
A vendor management programme must not only consider financials, contracts and reputational risks, but must put cybersecurity preparedness, as critical evaluation criteria. The first step in any vendor management programme should of course be to know your suppliers inside and out, understanding what services they provide for the firm, and what data they are party to.
Learn more about vendor management programmes here.