By Alan Jackson, CISSP
Cyber threats pose a significant present risk to the financial services industry in the United States. The Federal Government and the Securities and Exchange Commission (SEC) have echoed this sentiment many times. For example, Mary Jo White, the chair of the SEC stated in her opening statement at the SEC roundtable on cybersecurity that, “Cyber threats are of extraordinary and long-term seriousness. They are first on the Division of Intelligence’s list of global threats, even surpassing terrorism” (2014). Despite this, and other statements, many financial services firms fail to comply with their cyber security obligations. This may be due to the fact that the SEC has, until recently, avoided giving clear direction on how to comply with Regulation S-P, which requires firms to protect confidential information against cyber-attacks. This, however, is no longer the case.
The SEC has shown through statements, enforcement actions, and initiatives what controls firms are expected to have in order to comply with Regulation S-P. This is the first in a series of practical blog posts by Ashland Partners discussing:
- How to designate your Program Administrator
- How to create a Risk Assessment
- What specific Policies and Procedures you should have
- How to regularly Test your Controls
- What should be included in your Staff Training
- How to perform Vendor Due Diligence
- How to Regularly Review your information security program
- How to build an Incident Response Plan
These 8 cyber tools are what the SEC wants to see in your information security program. When implemented well, you will have the tools needed to protect your data and survive a possible SEC exam.