It's back to school time - time to put away the flip flops and beach chairs and settle back into the routine. To help motivate you, the Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) has announced a new round of cybersecurity examinations! This comes on the heels of the SEC's sweep exam of broker-dealers and registered investment advisers and the issuance of its February 2015 summary observations from that sweep.
Last month, our August webinar discussed third party vendor security management in a more general context, and how critical vendor management is to the overall cybersecurity health and resilience of your organization. Over 500 people took a break on a beautiful August day to catch the webinar - if you missed it, click here to playback the webinar.
We had already planned our September topic -- Another Cop on the Cybersecurity Beat: What to Do Before and After the SEC and FINRA Come Knocking -- but it is even more timely in light of last week's OCIE announcement.
In this next round of OCIE examinations, the office will direct the testing at implementation of key controls and procedures, none of which will be surprising to regular readers of this blog.
- Governance & Risk Assessment: current processes tailored to the business with senior management and board involvement
- Access Rights & Controls: controls across, within, and without the enterprise, including access tracking, credentialing, Bring Your Own Device (BYOD) and other issues
- Data Loss Prevention: patch management, system configuration, outbound communications, with special emphasis on personally identifiable information (PII)
- Vendor Management: (see last month's Privacy webinar)
- Training: both employees and vendor
- Incident Response Plans
The September Privacy Wednesday webinar, the eighth in our Privacy series, will address regulatory compliance and risk management aspects of cyber attacks and data breaches at financial institutions and their service providers (and specifically look at the OCIE standards and exam process). Cybersecurity is one of the most significant issues facing the financial services industry — and vendors to financial services customers. Consequences of cyber attacks and data breaches are more costly than ever, and now the SEC and FINRA are conducting cybersecurity examinations . Enforcement actions are likely to follow. Meanwhile, the “fintech” revolution is radically and dramatically transforming how securities, banking and money services firms collect, retain, protect and monetize financial consumer data. Join us for guidance on crafting effective cybersecurity programs and expert insights into areas of likely cybersecurity focus uniquely critical for broker-dealers, investment advisers, and investment companies — intermediary and vendor due diligence, risk assessment, identity theft prevention, Gramm-Leach-Bliley safeguarding of customer information, referral and aggregator arrangements, suspicious activity monitoring, material nonpublic information protection, and front running prevention.