OCIE September Risk Alert: Are You Cybersecurity Audit-Ready?
The SEC’s Office of Compliance Inspections and Examinations (OCIE) recently issued an update of their Cybersecurity Examination Initiative–the third one related to this initiative–alerting businesses in the securities industry to the newest areas within cybersecurity practices they will be examining. Each of these six focus areas will assess the extent to which firm procedures and controls have been implemented in order to promote better compliance practices and ultimately improve cybersecurity preparedness:
Governance and Risk Assessment
Examiners will look to see if firms have any governance and risk assessment processes in place that address the other focus areas listed below. Additionally, they will examine how frequently firms test their plans and evaluate their risks. Finally, they will gauge the level of involvement of senior leadership and board of directors. According to the Ponemon Group 2015 Cost of a Data Breach Study, the cost of a data breach goes down when a company’s board of directors is heavily involved during a breach. If you would like assistance assessing your cybersecurity risks or devising crisis communications strategies involving your senior leadership, contact us today.
Access Rights and Controls
Controlling access to sensitive information and systems, both internally and externally, can reduce the risk of unauthorized data exposure. Examiners will review what controls are in place, specifically, how access to various systems and data are regulated through the management of user credentials, authentication, and authorization methods. Need assistance in planning and implementing ways to segment access? Review the Preparis Cybersecurity Solution to see how we can help guide your efforts.
Data Loss and Prevention
Monitoring the health of your systems and keeping them updated will help you overcome vulnerabilities in outdated software that provide easy access for cyber criminals to steal data. In fact, Verizon reported nearly 100% of exploited vulnerabilities between 1999 and 2014 occurred more than a year after patches were made available. Examiners will assess how firms monitor for potentially unauthorized data transfers, the volume of data transfers, and how they determine the authenticity of customer requests for data transfers. Contact us if you would like assistance scanning your systems for vulnerabilities and ways to monitor data transfers.
Many of the largest data breaches have resulted from hackers targeting third party vendors. As such, examiners will concentrate on what vendor management controls are in place, including vendor selection, monitoring and oversight, and even vendor roles in the firm’s continued cyber risk assessment. For more information on assessing third party vendors, read our “Third Party Vendor Assessments Are Key to BCP and Cybersecurity for Asset Managers” blog post.
All it takes is one employee to break the link in your cybersecurity defense. According to the National Security Institute, roughly 75% of all security breaches occur from unintentional employee mistakes. That is why training personnel and continuing their education is so important. Examiners will look at how training is implemented across the firm, how it encourages responsible behaviors among employees and vendors, and how it incorporates cyber risk and response procedures on a regular basis. We offer a training program complete with online courses, checklists, and tabletops to help you educate your staff. Click here to take a sample training course.
Because of the unique nature of cybersecurity incidents, it is important to have a customized procedure for responding to and recovering from such crises. Examiners will review those procedures, paying particular attention to assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. As part of a complete business continuity program, we can help you craft your cybersecurity plans and verify they fit within your overall risk management strategy.
Passing an audit is necessary for your firm to remain open and in good standing with the SEC and other regulatory bodies. To aid in your compliance goals, we have an Audit-Ready Package that includes services to meet SEC guidelines. This package includes:
- Updated security plan
- Assessment of your cybersecurity risks
- Vulnerability scan
- Clearly defined roles and responsibilities
- Employee training and controls
- Assessment of 3rd party vendors
- And more!
To learn more about this Risk Alert and other tips on cybersecurity and disaster recovery, register for our free webinar with expert, Mark McKinney and Preparis CEO, Armistead Whitney which will be held Thursday, October 22 at 2pm EST. Also, for information on how you can take advantage of our Audit-Ready Package and other ways to build and maintain a culture of preparedness within your organization, visit www.preparis.com or email email@example.com.