For the third year in a row, the SEC has announced that cybersecurity will be an area of focus in 2016. Meeting SEC standards can be one of the most difficult challenges faced by small and mid-sized companies covered under §270.38a-1 and §275.206(4)-7. Firms are held to similar standards regardless of their size, and whether you have fifteen employees or five hundred, you are required to have, enforce, and regularly evaluate compliance policies and employee training.
In order to ensure the SEC knows that you take cybersecurity compliance seriously, you should ensure that you have addressed the following areas:
The SEC requires that all covered entities have cybersecurity policies that maximize the confidentiality of investment data, and documented processes behind their IT infrastructure. The SEC expects covered entities to select a control framework to base their policies on, and wants to see the following critical areas are covered:
- how confidential and personal information is transmitted and stored
- the standards for annual risk assessments, and frequency with which they are conducted
- business continuity and disaster recovery planning
- complete incident response plan, including policies for public outreach after a breach
Pathfinders highly recommends that covered entities make use of the NIST Framework. The SEC & NIST offer tools that can be used to assist in the development of policies & procedures. It’s important to keep in mind while developing your policies that they must accurately describe how your company does business. The SEC can always ask you to replace a bad policy or improve your cybersecurity posture, but lying about your procedures can be cause for significant penalties. You need to be able to prove that your procedures are followed, so you should keep in mind what evidence you plan to offer for them in the event that you are audited.
The SEC expects companies to ensure that employees receive regular training on company policy and IT security awareness. Most breaches occur as the result of social engineering targeted against company employees. Hackers use enterprise-grade tools to develop profiles of companies and their employees based on information available on their company site, social networking sites like LinkedIn or Facebook, and through the contacts of people whose email accounts have been hacked.
When you think of your network, it’s important to remember that each and every employee provides a way for hackers to enter your network and access your data. You expect your IT people to apply regular security updates to servers, routers, and antivirus solutions in order to help counteract the latest threats; the only way to make your network safe is to ensure your users get those same updates via security training.
All of the work you do to create policies and train users is only worth something to the SEC if you can prove that you’ve done it. As mentioned before, everything should be written with that in mind; if you can’t prove you did it, it was a waste of time and money. Even if your proof is nothing more than a signed statement that attests to the fact that the policies & procedures were reviewed, it’s important to have that on file and ready for the SEC in case of an audit. Your policies should detail what evidence the SEC should be able to expect.
Pathfinders offers policy review & development, audit prep, and security awareness training aimed at ensuring the companies we work with are prepared for audits and understand the newest threats to IT security. We can work with you to develop a tailored cybersecurity compliance handbook.
For more information on our compliance-related service offerings, call 484-268-1000 to schedule a free consultative discussion.
ADDITIONAL TOOLS & LINKS
- SEC 2016 Focus - https://www.sec.gov/news/pressrelease/2016-4.h
- NIST CSF Reference Tool - http://www.nist.gov/cyberframework/csf_reference_tool.cfm