What Firms Should Know About SEC Conducted Cybersecurity Exams
OCIE recently released their observations from the Cybersecurity 2 Initiative. Although the investment community has come a long way since the Cybersecurity 1 Initiative, there is still more we need to do to protect our systems and data.
The following recommendations were included in the risk alert:
• Maintain a complete list of service providers and vendors, and data your firm has on file. Risk classifications, vulnerabilities, and business consequences should be noted for each.
• Cyber policies and procedures should include details that spell out exactly what needs to be completed in each situation.
• A schedule of processes and data integrity testing should be established and maintained.
• Controls should be established to limit access to a firm’s data and systems. Access should be granted on a must-have basis.
• Employees should receive training during on-boarding and at regular intervals thereafter so they are aware of the firm’s cybersecurity policies and procedures.
• Policies and procedures should be reviewed and approved by senior management.
These recommendations will likely serve as examination priorities for future exams. Firms would be wise to implement these recommendations into their cybersecurity program before they receive notification of an exam.
Feel free to contact me if you would like to discuss how Cordium can assist you with your cybersecurity program.
VP of Cybersecurity and Data Protection