With Lisa Toth, Head of US Risk, Compliance and Regulation, Hatstand
There has been a lot in the press over the last year on not IF you will experience a cyber-related event but WHEN. With this in mind, every firm should have a clear understanding of their cybersecurity preparedness not only to external threats, but also to internal ones. A sound cybersecurity program should cover governance, asset definition, communication protocols, incident management, employee training, resource assignment and accountability, current threat awareness (internal and external), control deployment and disaster recovery/business continuity.
Early in January 2015 the Securities and Exchange Commission (SEC) released guidance on their expectations for cybersecurity programs for registered advisors and funds, identifying what they would be looking at during their 2015 exam reviews. In May, the SEC further recommended that investment companies and advisers consider assessments of their cybersecurity controls, strategy and procedures. This theme from the regulators has been picked up globally, encouraging firms to take a more proactive view of their risks; benchmarking where they stand today and put in place a plan to close any identified gaps in their current cyber defence practices. This benchmarking process should not be a one-off exercise but rather a continuous, periodic process, to show key stakeholders that each firm is taking their cybersecurity risk management responsibilities seriously and being able to evidence this through comparing their progress against their baseline assessment.
In terms of resources, there are a few assessment tools and frameworks that can assist in this process, as well as consulting firms that are well versed in running these assessments. The building blocks commonly used by the financial industry are provided by the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Council on Cybersecurity (CCS) Critical Security Controls and, just released in June, the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment model.
The value of the assessments is to give management a very clear picture of the key assets that need to be protected as well as identifying where the firm is most vulnerable in regard to these same assets. Firms can then use this knowledge to plan and make provision for the right balance of defensive controls versus the cost of implementation, supplemented by policies and procedures.
We’d love to hear your feedback on this article. Please click here