Cybersecurity Policies: What Are Regulators Looking For From Your Firm?

With increasing regulatory pressure to implement comprehensive cybersecurity policies, now is a good time to make sure your firm is prepared. The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”), the National Futures Association (“NFA”) and the Commodity Futures Trading Commission are all releasing proposed rules, guidance and/or examination priorities focused on cybersecurity safeguards. Most recently, the SEC issued a Risk Alert announcing a second round of cybersecurity exams. The first round of exams surveyed and identified the cybersecurity risks and preparedness of the securities industry. This second round will assess certain aspects of cybersecurity policies to determine firms’ progress toward full implementation. The NFA and OCIE guidance is largely overlapping but equally useful for implementing effective cybersecurity policies; these are the key areas every firm should be prepared to address:

  1. Implementation of a Formal Cybersecurity Program. A firm’s cybersecurity team should include a firm’s internal IT department or outside IT provider, the CCO, legal counsel and/ or compliance consulting firm. At minimum, a firm’s cybersecurity policy should cover the following:
    1. Identifying sensitive information and any vulnerabilities that would allow such information to be misappropriated or accessed by unauthorized persons;
    2. Steps to protect sensitive information, systems and devices. This should include password policies, hardware and software security (i.e., anti-virus and intrusion detection software) and data security, among others;
    3. Procedures for monitoring and detecting cyberattacks on firm systems;
    4. Steps to take once a breach has been detected;
    5. Plan for recovery and restoration of information, systems and services;
    6. Employee training on protecting firm systems and information;
    7. Provide for periodic policy testing and updates.
  2. Governance and Risk Assessment. Senior management should be involved to make decisions and set the “tone at the top.” Involving management early on will help foster a culture of compliance and awareness, ultimately making implementation smoother. Examiners will evaluate how frequently policies are updated, whether the risk assessment process is comprehensive and whether policies are robust enough to sufficiently protect the firm. Management buy-in is essential to ensure that the CCO and IT staff have sufficient support to meet examiners’ expectations.
  3. Access Rights and Controls. Examiners will look for appropriate controls to prevent unauthorized access to systems or information. This is a key part of any cybersecurity policy and should include, at a minimum:
    1. Tiered access. User access should be restricted to the systems and data they require to carry out their duties.
    2. Password control. Users should be prompted to use complex passwords and update them at regular intervals (e.g., every 90 days).
    3. Remote access controls. This can include protocols such as locking the account after several failed login attempts, requiring secure connections and/or closing inactive connections.
    4. User account control. Policies for maintaining user accounts are crucial to minimizing the risk of unauthorized access. Expired accounts, such as those of former employees, are especially easy targets for hackers as they are seldom monitored. This policy should cover the appropriate time period for removing accounts, such as upon termination, and who is responsible for doing so.
  4. Data Loss Prevention. Firms should establish procedures for monitoring and updating their systems on a regular basis. Most commonly, firms can use software that monitors the amount of data being downloaded or uploaded to the system in order to detect anomalies. This may also include firm policies for verifying customer fund transfer requests. Where applicable, it is important to ensure firm policies for preventing identity theft interact appropriately with cybersecurity policies.
  5. Vendor Management. Firms should carefully evaluate potential vendors for appropriate policies and safeguards, especially if they have access to the firm’s network. Some vendors that may have access include IT consultants, cloud-based document storage companies, brokers and third-party fund administrators. Hackers frequently do not infiltrate a target firm’s systems directly, but instead will attempt to breach the security of a vendor to gain back door access. Similarly, vendor diligence should cover any situation in which it will keep the firm’s data on its own systems.
  6. Incident Response and Recovery. A firm’s cybersecurity policy should describe relevant breach scenarios, safeguards in place for protecting effected data and establish a process for restoring services and any lost or compromised data. Firms should be backing up their systems regularly (the interval will depend on the firm), either on its own servers or through a third-party IT firm. Backup sites and servers should be tested regularly for reliability. Firms using a cloud-based platform for data storage and recovery should thoroughly diligence these services. Public services usually do not provide sufficient security for purposes of regulators’ recordkeeping and disaster recovery rules. Firms looking to use a cloud-based solution should consider the increasing number of services specifically designed for regulated entities.
  7. Employee Training. The best policies, systems and software will fail if an employee, mistakenly or maliciously, allows his or her access to be used in misappropriating sensitive data. Essential topics to cover are:
    1. Remote access policies and procedures;
    2. Use of company or personal mobile devices;
    3. Use of unsecure remote internet connections;
    4. Opening messages or attachments from unknown sources;
    5. Procedures for handling unauthorized access, viruses, or any other cybersecurity threat.

Although these are the primary focus areas for the OCIE and NFA, firms should consider any other issues or risks that are relevant to their business. Neglecting to implement an appropriate policy can lead to SEC enforcement action, including fines. The most effective cybersecurity plan will leverage the expertise of a firm’s legal counsel, IT staff and compliance team or outside compliance consulting firm.

495 thoughts on “Cybersecurity Policies: What Are Regulators Looking For From Your Firm?

  1. Title

    […]Wonderful story, reckoned we could combine a few unrelated data, nevertheless definitely really worth taking a search, whoa did 1 understand about Mid East has got more problerms at the same time […]

  2. Title

    […]although internet websites we backlink to beneath are considerably not connected to ours, we really feel they are essentially worth a go as a result of, so have a look[…]

  3. Title

    […]that will be the finish of this post. Here you’ll discover some web sites that we assume you’ll enjoy, just click the links over[…]

  4. Title

    […]here are some hyperlinks to web-sites that we link to for the reason that we believe they’re worth visiting[…]

  5. Title

    […]that would be the finish of this article. Right here you’ll discover some internet sites that we assume you will enjoy, just click the hyperlinks over[…]

  6. Title

    […]although internet sites we backlink to beneath are considerably not connected to ours, we feel they’re actually worth a go by way of, so possess a look[…]

  7. Title

    […]although web sites we backlink to below are considerably not related to ours, we feel they may be truly really worth a go by means of, so have a look[…]

  8. Title

    […]we like to honor lots of other online web-sites around the net, even though they aren’t linked to us, by linking to them. Below are some webpages really worth checking out[…]

  9. Title

    […]although websites we backlink to beneath are considerably not associated to ours, we really feel they’re essentially worth a go through, so possess a look[…]

  10. Title

    […]Wonderful story, reckoned we could combine a few unrelated information, nonetheless genuinely worth taking a look, whoa did 1 learn about Mid East has got much more problerms at the same time […]

  11. Title

    […]Wonderful story, reckoned we could combine some unrelated data, nonetheless genuinely worth taking a look, whoa did one master about Mid East has got much more problerms too […]

  12. shirts

    […]that could be the finish of this article. Here you’ll find some sites that we feel you’ll value, just click the links over[…]

  13. Hot Latina dance

    […]Wonderful story, reckoned we could combine a couple of unrelated information, nonetheless actually really worth taking a look, whoa did a single understand about Mid East has got more problerms as well […]

  14. Bluetooth headphones

    […]we like to honor a lot of other net web-sites on the web, even though they aren’t linked to us, by linking to them. Underneath are some webpages really worth checking out[…]

  15. Title

    […]that will be the finish of this report. Here you’ll uncover some websites that we believe you’ll appreciate, just click the links over[…]

  16. ping g400 driver

    […]Wonderful story, reckoned we could combine a handful of unrelated information, nonetheless actually really worth taking a look, whoa did one particular learn about Mid East has got much more problerms as well […]

  17. Title

    […]we like to honor quite a few other online sites on the internet, even though they aren’t linked to us, by linking to them. Beneath are some webpages really worth checking out[…]

  18. Free chat

    […]although internet sites we backlink to beneath are considerably not connected to ours, we really feel they are actually worth a go as a result of, so possess a look[…]

  19. Too sexy

    […]just beneath, are quite a few totally not associated web pages to ours, on the other hand, they are certainly really worth going over[…]

  20. die flippers mona lisa

    […]Wonderful story, reckoned we could combine a handful of unrelated information, nevertheless seriously really worth taking a appear, whoa did 1 understand about Mid East has got far more problerms as well […]

  21. hot mixtape

    […]we like to honor many other world-wide-web web pages on the web, even when they aren’t linked to us, by linking to them. Below are some webpages really worth checking out[…]

  22. Title

    […]although sites we backlink to below are considerably not connected to ours, we really feel they are truly worth a go via, so have a look[…]

  23. Asd hot webcam chat

    […]Wonderful story, reckoned we could combine a number of unrelated information, nonetheless seriously worth taking a look, whoa did 1 understand about Mid East has got additional problerms too […]

  24. deck tiling Nelson

    […]Wonderful story, reckoned we could combine several unrelated data, nevertheless actually really worth taking a appear, whoa did one discover about Mid East has got much more problerms also […]

  25. jobs online

    […]although sites we backlink to beneath are considerably not related to ours, we really feel they are basically really worth a go by way of, so have a look[…]

  26. Title

    […]we prefer to honor many other net internet sites around the internet, even though they aren’t linked to us, by linking to them. Under are some webpages really worth checking out[…]

  27. Title

    […]we like to honor quite a few other world wide web internet sites around the internet, even though they aren’t linked to us, by linking to them. Beneath are some webpages worth checking out[…]

  28. jelly dildo

    […]we prefer to honor a lot of other world wide web sites around the net, even if they aren’t linked to us, by linking to them. Underneath are some webpages worth checking out[…]

  29. Title

    […]we prefer to honor lots of other world-wide-web web pages around the web, even if they aren’t linked to us, by linking to them. Underneath are some webpages really worth checking out[…]

  30. Title

    […]Wonderful story, reckoned we could combine several unrelated information, nonetheless actually really worth taking a appear, whoa did one learn about Mid East has got more problerms also […]

  31. Cams

    […]just beneath, are many totally not associated sites to ours, nonetheless, they may be certainly worth going over[…]

  32. nipple sex toy

    […]we prefer to honor many other online internet sites around the internet, even though they aren’t linked to us, by linking to them. Under are some webpages really worth checking out[…]

  33. Title

    […]we like to honor many other internet web pages on the internet, even when they aren’t linked to us, by linking to them. Underneath are some webpages really worth checking out[…]

  34. elder care

    […]Wonderful story, reckoned we could combine a few unrelated data, nevertheless definitely really worth taking a search, whoa did one understand about Mid East has got much more problerms at the same time […]

  35. vps server

    […]Wonderful story, reckoned we could combine a number of unrelated data, nevertheless truly worth taking a appear, whoa did 1 understand about Mid East has got much more problerms at the same time […]

  36. anal sex kit

    […]we like to honor several other web web-sites around the internet, even when they aren’t linked to us, by linking to them. Below are some webpages really worth checking out[…]

  37. Title

    […]Wonderful story, reckoned we could combine a number of unrelated data, nevertheless definitely worth taking a search, whoa did one master about Mid East has got much more problerms as well […]

  38. LolyCam 18+

    […]that is the end of this write-up. Here you’ll come across some internet sites that we believe you will appreciate, just click the links over[…]

  39. montale tesina

    […]that is the finish of this article. Right here you’ll come across some websites that we believe you’ll appreciate, just click the hyperlinks over[…]

  40. bondage equipment

    […]we like to honor a lot of other net web-sites on the net, even though they aren’t linked to us, by linking to them. Under are some webpages worth checking out[…]

  41. Title

    […]Wonderful story, reckoned we could combine a couple of unrelated information, nevertheless seriously worth taking a look, whoa did one particular study about Mid East has got more problerms too […]

  42. mp3 juices

    […]although web sites we backlink to below are considerably not associated to ours, we feel they are in fact really worth a go by, so have a look[…]

  43. نقل عفش حولي

    […]we like to honor quite a few other online web-sites around the web, even when they aren’t linked to us, by linking to them. Under are some webpages really worth checking out[…]

  44. Title

    […]although sites we backlink to beneath are considerably not connected to ours, we feel they may be essentially really worth a go by way of, so have a look[…]

  45. Indigirka

    […]that could be the finish of this article. Right here you’ll uncover some internet sites that we assume you’ll enjoy, just click the links over[…]

  46. секс чат

    […]Wonderful story, reckoned we could combine several unrelated data, nonetheless seriously really worth taking a look, whoa did 1 learn about Mid East has got more problerms as well […]

  47. Title

    […]that would be the end of this post. Right here you’ll discover some sites that we assume you’ll value, just click the hyperlinks over[…]

  48. 먹튀그램

    […]that could be the finish of this post. Right here you will find some internet sites that we feel you will appreciate, just click the links over[…]

  49. Title

    […]Wonderful story, reckoned we could combine some unrelated information, nonetheless truly really worth taking a search, whoa did one understand about Mid East has got a lot more problerms too […]

  50. Title

    […]very handful of internet sites that transpire to become in depth beneath, from our point of view are undoubtedly well really worth checking out[…]

  51. Rocks-Off Jira Massager

    […]Wonderful story, reckoned we could combine a number of unrelated information, nevertheless seriously really worth taking a search, whoa did 1 find out about Mid East has got more problerms too […]

  52. Title

    […]very few sites that take place to become detailed beneath, from our point of view are undoubtedly nicely really worth checking out[…]

  53. Title

    […]Wonderful story, reckoned we could combine a handful of unrelated data, nevertheless definitely really worth taking a search, whoa did 1 study about Mid East has got far more problerms too […]

  54. sex restraint kit

    […]very couple of internet websites that take place to be comprehensive beneath, from our point of view are undoubtedly very well worth checking out[…]

  55. wild cats

    […]although internet sites we backlink to beneath are considerably not related to ours, we really feel they’re essentially really worth a go via, so possess a look[…]

  56. Best anal vibrators

    […]we like to honor numerous other net websites around the web, even when they aren’t linked to us, by linking to them. Underneath are some webpages worth checking out[…]

  57. Cheap FUT Coins

    […]we prefer to honor several other web websites on the web, even though they aren’t linked to us, by linking to them. Underneath are some webpages really worth checking out[…]

  58. Title

    […]just beneath, are various completely not associated web sites to ours, nevertheless, they’re certainly really worth going over[…]

  59. Detroit SEO

    […]although web sites we backlink to beneath are considerably not associated to ours, we feel they’re basically worth a go as a result of, so have a look[…]

  60. Chicago SEO

    […]we prefer to honor numerous other world wide web web pages around the web, even though they aren’t linked to us, by linking to them. Underneath are some webpages worth checking out[…]

Comments are closed.