Cybersecurity Policies: What Are Regulators Looking For From Your Firm?

With increasing regulatory pressure to implement comprehensive cybersecurity policies, now is a good time to make sure your firm is prepared. The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”), the National Futures Association (“NFA”) and the Commodity Futures Trading Commission are all releasing proposed rules, guidance and/or examination priorities focused on cybersecurity safeguards. Most recently, the SEC issued a Risk Alert announcing a second round of cybersecurity exams. The first round of exams surveyed and identified the cybersecurity risks and preparedness of the securities industry. This second round will assess certain aspects of cybersecurity policies to determine firms’ progress toward full implementation. The NFA and OCIE guidance is largely overlapping but equally useful for implementing effective cybersecurity policies; these are the key areas every firm should be prepared to address:

  1. Implementation of a Formal Cybersecurity Program. A firm’s cybersecurity team should include a firm’s internal IT department or outside IT provider, the CCO, legal counsel and/ or compliance consulting firm. At minimum, a firm’s cybersecurity policy should cover the following:
    1. Identifying sensitive information and any vulnerabilities that would allow such information to be misappropriated or accessed by unauthorized persons;
    2. Steps to protect sensitive information, systems and devices. This should include password policies, hardware and software security (i.e., anti-virus and intrusion detection software) and data security, among others;
    3. Procedures for monitoring and detecting cyberattacks on firm systems;
    4. Steps to take once a breach has been detected;
    5. Plan for recovery and restoration of information, systems and services;
    6. Employee training on protecting firm systems and information;
    7. Provide for periodic policy testing and updates.
  2. Governance and Risk Assessment. Senior management should be involved to make decisions and set the “tone at the top.” Involving management early on will help foster a culture of compliance and awareness, ultimately making implementation smoother. Examiners will evaluate how frequently policies are updated, whether the risk assessment process is comprehensive and whether policies are robust enough to sufficiently protect the firm. Management buy-in is essential to ensure that the CCO and IT staff have sufficient support to meet examiners’ expectations.
  3. Access Rights and Controls. Examiners will look for appropriate controls to prevent unauthorized access to systems or information. This is a key part of any cybersecurity policy and should include, at a minimum:
    1. Tiered access. User access should be restricted to the systems and data they require to carry out their duties.
    2. Password control. Users should be prompted to use complex passwords and update them at regular intervals (e.g., every 90 days).
    3. Remote access controls. This can include protocols such as locking the account after several failed login attempts, requiring secure connections and/or closing inactive connections.
    4. User account control. Policies for maintaining user accounts are crucial to minimizing the risk of unauthorized access. Expired accounts, such as those of former employees, are especially easy targets for hackers as they are seldom monitored. This policy should cover the appropriate time period for removing accounts, such as upon termination, and who is responsible for doing so.
  4. Data Loss Prevention. Firms should establish procedures for monitoring and updating their systems on a regular basis. Most commonly, firms can use software that monitors the amount of data being downloaded or uploaded to the system in order to detect anomalies. This may also include firm policies for verifying customer fund transfer requests. Where applicable, it is important to ensure firm policies for preventing identity theft interact appropriately with cybersecurity policies.
  5. Vendor Management. Firms should carefully evaluate potential vendors for appropriate policies and safeguards, especially if they have access to the firm’s network. Some vendors that may have access include IT consultants, cloud-based document storage companies, brokers and third-party fund administrators. Hackers frequently do not infiltrate a target firm’s systems directly, but instead will attempt to breach the security of a vendor to gain back door access. Similarly, vendor diligence should cover any situation in which it will keep the firm’s data on its own systems.
  6. Incident Response and Recovery. A firm’s cybersecurity policy should describe relevant breach scenarios, safeguards in place for protecting effected data and establish a process for restoring services and any lost or compromised data. Firms should be backing up their systems regularly (the interval will depend on the firm), either on its own servers or through a third-party IT firm. Backup sites and servers should be tested regularly for reliability. Firms using a cloud-based platform for data storage and recovery should thoroughly diligence these services. Public services usually do not provide sufficient security for purposes of regulators’ recordkeeping and disaster recovery rules. Firms looking to use a cloud-based solution should consider the increasing number of services specifically designed for regulated entities.
  7. Employee Training. The best policies, systems and software will fail if an employee, mistakenly or maliciously, allows his or her access to be used in misappropriating sensitive data. Essential topics to cover are:
    1. Remote access policies and procedures;
    2. Use of company or personal mobile devices;
    3. Use of unsecure remote internet connections;
    4. Opening messages or attachments from unknown sources;
    5. Procedures for handling unauthorized access, viruses, or any other cybersecurity threat.

Although these are the primary focus areas for the OCIE and NFA, firms should consider any other issues or risks that are relevant to their business. Neglecting to implement an appropriate policy can lead to SEC enforcement action, including fines. The most effective cybersecurity plan will leverage the expertise of a firm’s legal counsel, IT staff and compliance team or outside compliance consulting firm.