A recent article in Onwallstreet.com highlighted certain areas of focus for investment advisors/broker-dealers when it comes to addressing cyber-threats. The article focused on four areas of particular significance.
First, a firm must have a robust risk assessment approach to cyber-security. After all, a firm cannot develop and deploy cybersecurity policies and procedures unless and until the firm identifies what are its risks.
Just as important, the risk assessment cannot be a one and done project. Best practices dictate that firms continually conduct risk assessments to determine new risks. The hackers are changing their tactics, so you may have to as well.
Second, once you develop and deploy policies and procedures, you should create and test incident response plans. Otherwise, how will you know these policies and procedures work when confronted with an actual data breach.
Third, if you use vendors, perform due diligence on them on an ongoing basis to assess their cyber-security risks. For example, if you outsource email retention, you will want to know how that vendor is going to protect its email storage databases from an unwanted intrusion. Equally important, you want to revisit what the vendor is doing for cyber-security on a regular basis.
Fourth, train and retrain your staff so that they avoid inadvertently exposing the company to malware. Among other things, you should consider a policy for staff to follow before they download anything from an external email or web site.
These are just a few suggestions for this ever increasing focus for both firms and their regulators. Avoid being a victim; assess risk, develop plan/procedures, test the plan/procedures, and educate your staff.