Thursday, January 14, 2016

Taking #CyberSecurity to the Executive Level

CyberSecurity plan action steps

Financial industry executives have a unique responsibility to protect investors and proprietary firm information from compromise. 

For FINRA (Financial Industry Regulatory Authority), cybersecurity protection measures include a broad swipe approach that covers compromise through use of any electronic digital media (e.g. computers, mobile devices, Internet based systems, ipads, software solution providers). And, no matter how much of the cyber security task is outsourced to IT professionals, the ultimate responsibility lands on the shoulders of each firms executive leadership.  For this reason cyber-security practices have taken a front and center seat in board room discussions that reach past IT to operations, sales, vendors, and anyone else with access to electronic company data.

RND Resources has created an action plan for compliance officers and executives leading  #cybersecurity initiatives for their firm. A comprehensive plan includes components such as; Cybersecurity Governance and #RiskManagement, Cybersecurity #RiskAssessment, Technical Controls, Incident Response Planning, Vendor Management, Staff Training, Cyber Intelligence &  Information Sharing, Cyber Insurance.  These topics are discussed more completely on our website at . 

Tips for taking action:  Guideline for Cyber-Security Board Room Meeting

  • Form a cyber-security committee to design, implement, and oversee day-to-day cybersecurity compliance efforts. Calendar regular reports and reviews to assess the activities and effectiveness of the team.
  • Educate yourself on Information Security: Research and understand various types of cyber-security threats. Speak with industry colleagues about what firms are doing to protect themselves. Make assessing cyber threats and solutions a regular part of the business cycle.
  • Know the plan. Read and keep a copy of information security policies handy. Make sure you thoroughly understand what to do in the event of an attack. Prepare as if an attack will happen one day, because chances are it will.
  • Review the plan regularly to make sure it remains relevant and up to date with current threats and trends.
  • Test the plan. Ask IT and other professionals or staff to try and break through the systems to see where the weaknesses are.  Run surprise or mock tests on your staff to see how they measure up on policy and procedures.
  • Work with professionals to identify security issues and industry trends. Audit procedures and conduct forensic investigations following a breach or at regular intervals.
  • Supplier Due Diligence. Vendors and suppliers have their own management weaknesses that present a threat. A motivated hacker may find their way in to your company records through an unsecure supplier system or other means. Test supplier and vendor portals for weaknesses and make sure the staff alerts appropriate parties of anything unusual.
  • Prioritize the security to do list  Some risks are naturally greater than others.  Get an understanding of which efforts require the most resources and match them up with level of threat. Handle items that pose the greatest risks first. Set aside some time for simple fixes and plan for long term solutions.
  • Create a cyber-secure culture   Make certain all staff has a clear understanding that cyber-security is needs are taken seriously. Ask them to consider cyber risks when hiring staff, adding new customer accounts, and establishing business partnerships.
RND Resources provides regulatory compliance services and consulting for broker-dealers, investment advisory firms, and fund managers. For assistance developing a cyber-security plan tuned to regulatory requirements, feel free to call us at 818.657.0288

No comments:

Post a Comment

Your comments are welcome: