On 27 September 2016, the Canadian Securities Administrators (CSA) issued a notice stating that they “expect Market Participants to take steps to protect themselves against cyber threats.” But what does this mean for you? We frequently field confused questions from investment professionals who don’t understand what they should be doing to address cyber security threats. Many professionals don’t even know what the real threats are. This confusion is compounded by the myriad of regulatory agencies, standards, and laws that investment firms need to comply with. For example, the National Institute of Standards and Technology (NIST) framework that is becoming the de facto standard in the United States, begins with a 41 page reference document that describes the need to use other NIST documents. In particular the reference document calls out the 462 page long, NIST 800-53 standard. Keep in mind that the NIST documents are only one possible standard that you could adhere to. The International Standards Organization, SANs, ISACA, and others have competing standards. Furthermore, you have to tweak whatever standard that you choose to your business and regulatory requirements. It is no wonder that there is so much confusion.
So how do you start? On a high level, we believe that cyber security must be practical. To that end, it should accomplish two things:it should be tailored to your business needs while meeting your regulatory requirements. In order for cyber security to be practical, it needs to be a strategic part of your business. Cyber security risk management is no different than other forms of risk management. If you understand cyber risks, you can make practical business decisions on how to address them. The CSA highlights this need by stating that cyber security should be tailored to your risk profile and should be regularly reinforced and refined at every level of your organization. Everybody, from the Board down to the interns, needs to understand how cyber security works.
Once you integrate cyber security into your business environment, you must meet your regulatory requirements. Thankfully the CSA has listed the components that are important to them. They are as follows:
- Cyber security risk assessment and information security governance programs
- IT safeguards and controls
- Use of encryption
- Risks related to third-party service providers
- Vulnerability tests and compliance monitoring
- Evidence of regular employee training and awareness
- Incident response plans
- Practices for accepting client instructions to withdraw or transfer funds via electronic means
Once again, you have to understand what these items mean. For example, what should be addressed in your third-party service provider procedures? This is where you refer back to your chosen framework. NIST, for example, has multiple documents dedicated to vendor lifecycle management. Your chosen standard can guide you in your policy creation, incident response planning, risk assessment process, etc.
If you are still overwhelmed, we understand. Cyber security can be a large and complicated field for those who haven’t been trained in it. Ashland Partners has been helping firms address their cyber-related needs for years. If you would like to chat about our approach to cyber security, please let us know. We are here to help.
CSA/ACVM (2016). CSA Staff Notice 11-332 Cyber Security. Retrieved from https://www.bcsc.bc.ca/Securities_Law/Policies/Policy1/PDF/11-332__CSA_Staff_Notice___September_27__2016/
NIST Special Publication 800-53 (2013). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf