Cybersecurity: What Does A Good Program Look Like?

  

A short summary of the OCIE's recommendations after reviewing 75 financial firms' cybersecurity programs.

In 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) looked at 75 financial firms to get an update on their cybersecurity preparedness.
While OCIE found improvements since its 2014 round of examinations, it reported that firms could still do better. Their findings are recommended reading for anyone wanting to benchmark or toughen up their cybersecurity measures. The report reveals what most firms are doing – but most importantly, it also highlights best practice at firms OCIE considers “robust”.

Here’s a quick summary if you’re pushed for time:


| Common Practice

What most firms do
 
  • Periodic risk assessments for critical systems
  • Penetration tests and vulnerability scans on critical systems
  • Tools to prevent, detect and monitor the loss of personally identifiable data
  • Maintenance processes to address vulnerabilities
  • Information-protection programs
  • Cybersecurity organization charts
  • Customer/shareholder authority to transfer funds to third-party accounts
  • Vendor risk assessments



| Best Practice

Extra measures that “robust” firms take

  • Inventory of data, information and vendors, including risk classification and vulnerabilities
  • Detailed cybersecurity-related instructions, e.g. for monitoring and access rights
  • Prescriptive schedules and processes for testing data integrity and vulnerability
  • Established and enforced controls to access data and systems
  • Mandatory employee training, from onboarding onwards
  • Senior management engaged to vet and approve policies and procedures
 
Want to read the full findings? Here’s the full six page OCIE report.
 
If you'd like a review of your current cybersecurity program, explore the cybersecurity experts on our platform by creating a free profile with Complect and take advantage of our member discounts to discover firms like Entreda, a full service, automated cybersecurity and compliance policy enforcement platform.
0 comments
8 views

Permalink