As regulators continue to make cybersecurity a top exam priority and enforcement actions against advisors and brokers in the cyber space become more prevalent, Cipperman Compliance Services has devised a 12-step cybersecurity plan to give advisors some guidance on how to ensure compliance in this tricky area.
Indeed, not only did the Securities and Exchange Commission recently create a new senior advisor position on cybersecurity policy, which was filled by Christopher Hetner, but the agency’s second round of cyber exams are in full swing.
Morgan Stanley recently agreed to pay a $1 million penalty to the SEC to settle charges that it failed to protect customer information, some of which the agency says was hacked and offered for sale online. The SEC found that Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer data from 2011 to 2014, and that during that time a then-employee impermissibly accessed and transferred customer data on approximately 730,000 accounts associated with 330,000 different households to his personal server, which was ultimately hacked by third parties.
SEC Chairwoman Mary Jo White recently told a Senate Appropriations subcommittee that the agency would use $14.7 million of Obama’s $1.781 billion fiscal 2017 budget request to enhance the agency’s cybersecurity controls, specifically to secure the agency’s data and “what companies provide to us.”
The House Appropriations Committee voted June 9 to give the SEC $1.5 billion, more than $200 million less than Obama had requested. The Senate committee voted Thursday to give the agency $1.6 billion. The two appropriations must now be reconciled, which is expected to happen in September.
Here is Cipperman’s 12-step cybersecurity plan: Identify location of confidential information. Conduct an internal assessment of the location of confidential information and who might have access.
Restrict access: Passwords should be specific to each employee and should require updating on a periodic basis. Also, make sure to shut down access for exiting employees.
Monitor for intrusions: The IT function should add intrusion monitoring as part of the virus and security protocols. Also, IT should report multiple login failures.
Prohibit removable storage media. Also, create a hardware environment that makes it difficult to use such media.
Limit devices. Only firm-approved and encrypted devices should have access to the network/system.
Test vulnerability. Hire an IT firm to perform a vulnerability assessment and conduct penetration testing.
Evaluate vendors. Ensure vendor selection includes cybersecurity due diligence. Create ongoing monitoring and reporting system.
Report to Management. Add cybersecurity as an agenda item to every management and compliance meeting and include reports from IT and Compliance.
Appoint somebody accountable. One person should own cybersecurity compliance across the organization, whether that person resides in IT, Compliance, or Operations.
Create response plan. The response plan should include required notices to clients and regulators and how to patch vulnerabilities.
Consider cybersecurity insurance. Determine if a cybersecurity insurance policy will protect the firm against a catastrophic event.
Implement policies and procedures. Develop policies and procedures governing all of the above and annually test whether they are being followed. Also, ensure ongoing employee training.
— Related on ThinkAdvisor: