Last week the SEC released what they call a Risk Alert to Investment Advisors and Broker-Dealers saying that they were concerned about the protection of client information because of recent attacks and attempted attacks against the financial community.
In the alert, they laid out the very particular concerns they have in 6 specific areas and said that they are going to start a Cybersecurity Examination Initiative to create better compliance.
They are not saying who is going to get one of these special surprises, how many will or when.
That being said, the focus of these examinations are applicable to almost every company.
The 6 areas are;
- Governance – how are you managing the cyber risk process. Is the board and C-Suite actively involved? How often are you doing risk assessments – things like that.
- Access rights and controls – are you controlling who has access to what systems and what data and how are you managing that process.
- Data loss prevention – monitoring information that goes out of the organization electronically to make sure that it is not going to places that it should not – like China or an employee’s personal storage.
- Vendor management – making sure that you are not the next Target or Home Depot – both of whom were done in by vendors who did not manage cyber security appropriately.
- Training – while training will not stop all attacks, poorly trained employees may make inappropriate security decisions because they do not understand the risks of their actions.
- Incident response – we have seen that in some breach situations (Sony and OPM come to mind), the companies were not prepared to deal with a breach. This can turn into a PR disaster and usually increases the cost of recovering from the breach.
So, whether you are a firm who is regulated by the SEC or not, these 6 areas are definitely a good place to start with your cyber risk assessment. After these areas are handled you can move on to other areas.