Cybersecurity Exam Focus
Following the regulatory focus on Cybersecurity in the last few years, the SEC has recommitted its attention to the examination process. In 2014, the SEC conducted its first round of “Cyber Sweeps” establishing a baseline for how investment managers and broker-dealers were actually treating Cybersecurity Preparedness as a top line risk item. The second round of Cyber Sweeps demonstrated that policies were being adopted and initial steps were taken but also revealed a lack of integration and implementation of the security, technology and other controls contained in such policies. All indications are that more Cyber Sweeps are forthcoming and that such sweeps will focus on the level of integration, testing and tweaking of a multi-faceted and cross-functional Cyber Security Program, rather than the existence of one or two components.
So conducting a penetration test or procuring a bespoke written policy, while both necessary components of a thorough cyber-security program, are in and of themselves insufficient, if they are not married together with the other necessary constituent parts that together, compose a model Cybersecurity Program. Such elements include: (i) an assessment of your data inventory and intellectual assets; (ii) access right control features; (iii) data loss prevention controls; (iv) vendor management; (v) employee training; (vi) incident response planning; and (vii) a mechanism to periodically test and assess these controls.
Put another way, the regulators will be looking for a demonstrable cyber-security governance framework that includes several elements that work together. Cybersecurity risk management is not achieved merely by a written policy, a black box or even a single hire but rather requires a multi-disciplinary approach that brings together different solutions that are harmonized and tied together throughout the entire enterprise.