On episode 53 we discuss a key component of a firm's annual review - Cybersecurity Testing.
CCO Buzz: Hello and welcome back to the Buzz. We hope everyone has been enjoying this beautiful summer – we sure have! On today’s Buzz, Episode 53, we’re discussing Cybersecurity Testing, and there’s a lot to cover, so let’s get started.
Adam Stutz: As listeners know, Rule 206(4)-7, or the Compliance Rule, requires SEC registered investment advisers to perform an annual review of their policies and procedures, and a key component of a firm’s annual review should include cybersecurity testing. This remains especially important since cybersecurity remains a top examination priority for the SEC’s Office of Compliance Inspections and Examinations, or OCIE.
As CCOs and Chief Information Security Officers, or CISOs, design their cybersecurity testing, they should begin by considering some key resources when developing their testing protocols.
To start, a firm’s cybersecurity policies and procedures will serve as the framework for creating a testing plan. It’s important for the cybersecurity policies and procedures to address certain key areas including identification of the firm’s chief information security officer, vendor management, access rights and controls, training and incident response plans. As with any other area of a firm’s policies and procedures, cybersecurity policies and procedures should be customized to a firm’s business model and address risks that are specific to each firm.
Another important resource for CCOs and CISOs to consider for cybersecurity testing is the firm’s annual risk assessment of the cybersecurity program. Cybersecurity risk assessments are valuable tools in identifying gaps in a firm’s cybersecurity controls and high-risk areas where additional controls may be necessary and should cover areas such as governance, data loss prevention, vendor management training, and incident response plans.
A third, and obvious, resource is the firm’s IT department or vendor. IT can be a valuable asset by providing technical assistance and documentation on items such as data loss monitoring; monitoring data transfer protocols to external third-parties; reviewing cloud storage security; deploying and documenting patch management updates; assisting with data mapping, and software and hardware inventories. Additionally, engaging IT can help CCOs and CISOs, with customizing testing protocols further to ensure they are reasonably tailored to the firm’s business.
A fourth resource are the risk alerts issued by the SEC. OCIE has released a number of risk alerts in recent years detailing common issues discovered during cybersecurity sweep exams as well as elements of a robust cybersecurity program.
Now, as CCOs and CISOs begin thinking about customizing their tests to their firm’s business model using their firm’s cybersecurity policies and procedures, they will want to apply transactional, periodic, and forensic tests to cybersecurity as they would to any other area of their compliance program.
To begin, as most listeners know, transactional testing is performed at the time of the activity. A cybersecurity transactional test could involve monitoring daily data migration of files containing PII between the Firm and a custodian and verifying that security protocols are being administered properly at the time of transmission.
Next, periodic testing involves a specific period of time and is performed at certain intervals allowing a firm to evaluate how their policies and procedures are functioning over that specific period, for example a month or quarter. A periodic test could involve reviewing the initial cybersecurity training and creation of login credentials for new hires at a firm within the last month or quarter to verify completion of their initial cybersecurity training and the proper set up of their login credentials.
Finally, forensic testing involves analyzing information over a longer period of time and looking for trends and patterns. For example, the CCO and/or ISO could work with IT to pull the web histories for systems users for the past year and review access to see if any restricted websites that contravene the Firm’s policies and procedures were opened. If it was discovered that any systems users accessed any restricted sites, the CCO and/or the ISO could conduct an interview with the system user to determine if any data containing PII was shared.
To sum up, testing is a crucial part of the annual review process and with any other area of compliance, cybersecurity testing is an important component. Cybersecurity testing should be customized based on applicable risks and facts and circumstances of a firm’s business model to ensure a thorough and accurate review has been performed by the CCO and/or CISO.
For more information and suggestions on cybersecurity testing, listeners should visit Core Compliance at www.corecls.com to download a copy of this month’s risk management update on cybersecurity testing. Core Compliance is also providing a cybersecurity review checklist to guide CCOs and CISOs as they organize their cybersecurity annual review testing. If you have questions or concerns about cybersecurity testing or your cybersecurity program, again, please visit Core Compliance at www.corecls.com or call us at 619-278-0020.
CCO Buzz: Thank you and we hope you tune into next week’s episode of the CCO Buzz.