As regulators continue to make cybersecurity a top exam priority and enforcement actions against advisors and brokers in the cyber space become more prevalent, Cipperman Compliance Services has devised a 12-step cybersecurity plan to give advisors some guidance on how to ensure compliance in this tricky area.
Indeed, not only did the Securities and Exchange Commission recently create a new senior advisor position on cybersecurity policy, which was filled by Christopher Hetner, but the agency’s second round of cyber exams are in full swing.
Morgan Stanley recently agreed to pay a $1 million penalty to the SEC to settle charges that it failed to protect customer information, some of which the agency says was hacked and offered for sale online. The SEC found that Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer data from 2011 to 2014, and that during that time a then-employee impermissibly accessed and transferred customer data on approximately 730,000 accounts associated with 330,000 different households to his personal server, which was ultimately hacked by third parties.
SEC Chairwoman Mary Jo White recently told a Senate Appropriations subcommittee that the agency would use $14.7 million of Obama’s $1.781 billion fiscal 2017 budget request to enhance the agency’s cybersecurity controls, specifically to secure the agency’s data and “what companies provide to us.”
The House Appropriations Committee voted June 9 to give the SEC $1.5 billion, more than $200 million less than Obama had requested. The Senate committee voted Thursday to give the agency $1.6 billion. The two appropriations must now be reconciled, which is expected to happen in September.
Here is Cipperman’s 12-step cybersecurity plan: Identify location of confidential information. Conduct an internal assessment of the location of confidential information and who might have access.
Restrict access: Passwords should be specific to each employee and should require updating on a periodic basis. Also, make sure to shut down access for exiting employees.
Monitor for intrusions: The IT function should add intrusion monitoring as part of the virus and security protocols. Also, IT should report multiple login failures.
Prohibit removable storage media. Also, create a hardware environment that makes it difficult to use such media.