SEC and Risk: Would You Pass?
Small businesses often think that they’re relatively safe from cyber-attacks. Aren’t hackers, after all, only interested in big fish? Unfortunately, SMBs are just as vulnerable. If fact, according to the Verizon Data Breach Investigations Report, 71% of cyberattacks take place at businesses with less than 100 employees. It only takes a single data breach to irreparably bring down an entire business.
The Office of Compliance Inspections and Examinations (OCIE) and the U.S. Securities and Exchange Commission (SEC) are just as aware of the uptick in attacks and have implemented the Cybersecurity Examination Initiative in response. The initiative sets forth IT security guidelines specially geared towards broker-dealers and other financial firms. Does your IT infrastructure meet these standards?
Why SMBs Need to Be in Compliance
The ramifications of even a single breach can be catastrophic. A record breaking 3,930 incidents were reported during 2015, exposing over 736 million records. Will future customers trust your institution knowing that it has already been breached? Will current customers continue to be loyal knowing that their private data was exposed under your watch? According to SEC Chair Mary Jo White, cyber-attacks are such a grave concern that it overtakes terrorism in the Division of Intelligence’s list of global threats.
OCIE has extensively studied the IT security protocol of more than 50 broker-dealers and investment advisers. Through its examination, it has identified the following areas every financial firm needs to address to be in compliance and satisfactorily meet cybersecurity preparedness:
- Governance and Risk Assessment – examiners will evaluate firms and assess whether company level policies meet criteria established under federal initiative.
- Access Rights and Controls – audits may include how firms access their data and whether a multi-authentication system is in place for both in-house and remote workers.
- Data Loss Prevention – Examiners may assess whether protocols are in place for detecting unauthorized data transfers. This also includes close monitoring of data transferred outside the company by staffers or third party agencies.
- Vendor Management – Hackers can access your data due to poor cybersecurity practices from vendors that store your client information. Inspection may include how well your company oversees your vendors and factor it into your overall risk assessment.
- Training – Staffers need to be briefed on cybersecurity best practices as well as the implications, such as the of improper storing of company data on personal devices or failing to use a strong password.
- Incident Response – Is there a standard operating procedure set in place in the event of an attack? There should be an established policy in place as well as assigned roles for select members.
Is Your Infrastructure Ready to handle the Ongoing Threat?
{{cta(‘0d233df8-ad79-4296-8778-cc94f6820f0c’,’justifycenter’)}}
You may want to read 5 Things Financial Firms Need To Know About Cyber Security.