How to Pass the SEC’s Cybersecurity Test in 9 Steps
By Ken Fleming, director of Information Security for Conduent
Cybersecurity again looks to feature prominently on 2015’s regulatory agenda. So far this year, the Financial Industry Regulatory Authority and the SEC’s Office of Compliance Inspections and Examinations (OCIE) have announced that cybersecurity will continue to be examination priorities.
There’s no time like the present for organizations to review their cybersecurity policies and practices. An OCIE Risk Alert lists 28 sample document and information requests, based on the National Institute of Standards and Technology’s “Framework for Improving Critical Infrastructure Cybersecurity,” that could be used as the foundation for enforcement actions. The requests can also serve as a checklist to ensure your company is prepared for an agency audit.
Here are the critical areas to examine:
- Policies and procedures: The company should have written information security policies and procedures and review and test them regularly; it should also audit compliance with these policies. In addition, the company should also periodically inventory hardware, software, and network resources.
- Risk assessment: The company should have a process for assessing risks and conduct periodic assessments. If risks are identified, the company should document the steps it took to remediate them.
- Personnel: The company should designate someone responsible for cybersecurity, such as a chief information security officer or the equivalent, and detail the employee’s duties in writing.
- Insurance: The company should have a comprehensive cyberinsurance policy.
- Employee awareness training: The company should provide guidance and training to employees on information security risks and responsibilities and retain copies of all training materials and attendance records.
- Incident response: The company should have a cybersecurity incident response policy, an incident response team, and a business continuity plan that addresses post-breach recovery. It should periodically update and test its policy.
- Customer accounts: The company should have policies addressing breaches or other cyberattacks that affect customers and a means of detecting anomalous or fraudulent customer requests.
- Third parties: The company must assess cybersecurity risks posed by third parties with access to the company’s networks, customer data, or other sensitive information. Contracts with third parties should include language that addresses information security and breaches.
- Detection: The company should have written procedures for monitoring and detecting unauthorized access on its networks and devices, including mobile devices. It should also ensure users have access only to network resources necessary for their business functions.
Given the current administration’s continuing focus on cybersecurity and the controversy stirred by recent prominent cyber breaches, it is only a matter of time before the SEC and other agencies require more organizations to have these safeguards in place.
Ken Fleming is director of Information Security at Conduent. He can be reached at email@example.com.