On episode 79 of the CCO Buzz, Compliance Consultant Adam Stutz is here to discuss what firms should consider when preparing for a Cybersecurity Sweep Exam.
CCO Buzz: Hello and welcome back to the CCO Buzz! On today’s episode we have this month’s Risk Management Update author, Adam Stutz. He’s here to provide insight on the hot topic of the industry, Cybersecurity. But more importantly, he’s discussing a few considerations to help firms prepare for a Cybersecurity Sweep Exam.
With that, let’s begin!
Adam, in your article this month you cover how cybersecurity continues to be a top priority for the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”). Do think that within this evolving remote-work state, firms and their CCOs should prepare and strengthen their own cybersecurity protocols?
Adam Stutz: Oh of course. Despite the changes in workplace dynamics due to the pandemic, OCIE shows no signs of slowing its examinations of investment advisers and broker-dealers, and it is vital that firms prepare for the possibility of a cybersecurity sweep exam.
SEC exams are daunting enough for any firm, and a focused cybersecurity exam can give any seasoned Chief Compliance Officer (“CCO”) and/or Information Security Officer (“ISO”) pause. In my article, I attempt to tackle many of the questions CCOs and ISOs might be asking themselves, such as…
- What parts of the firm’s cybersecurity program will be scrutinized by the SEC?
- How should the firm test its current controls?
- How should the firm respond to gaps in controls? and
- How does the firm prepare employees for a cybersecurity sweep exam?
CCO Buzz: Wow, that’s a lot to consider and that’s not even half of it. Further [on] in your article you detail key components for preparation, one of which you refer to as “one of the most important tools in any firm’s arsenal,” the risk assessment. How does a firm’s risk assessment prepare them for a cybersecurity sweep exam?
Adam Stutz: Well, during a risk assessment firms should be evaluating and classifying the high, medium, and low levels of risk associated within their program’s governance, access rights, data loss prevention, vendor management and incident response domains. From there, CCOs and ISOs can build a road map or action plan to determine which controls require the most immediate attention within their compliance program. Overall, the risk assessment not only highlights areas of high concern, but it also allows insight on how to implement and strengthen additional controls, and to address the risk and threat levels within the relevant domain, especially within the cybersecurity realm.
CCO Buzz: Another area you touch upon in the article discusses the foundation of any compliance program, the firm’s policies and procedures (“P&Ps”). Within that section you urge readers to consider and acknowledge specific controls. Could you provide our listeners with a bit more insight?
Adam Stutz: Of course. In that section, I detail the importance of assessing your firm’s P&Ps. When evaluating your P&Ps, its best to analyze whether they contemplate the domains, like governance, access rights, data loss, etc., and do they acknowledge specific controls within those domains. Some that firms may want to consider are…
- Identification of an ISO or principal responsible for oversight of cybersecurity
- Controls for the protection of client records containing client personal identifying information
- Data exfiltration and loss prevention
- Login failures, lockouts, and password resets, and
- Patch management controls, and more.
The list only scratches the surface of what is listed in the article. But it is important to bear in mind that a firm’s P&Ps need to not only address the domains, but also be customized for their specific business model.
CCO Buzz: Speaking of business models, we have established that not all firms are alike, and neither should their approach to compliance or cybersecurity [be alike]. But within the article you highlight an area of business that I particularly would have never considered “vulnerable” for cybersecurity, which is the Inventories and Reports.
Adam Stutz: I hear that a lot. Often when firms think of inventories they tend to focus on the identification of their hardware and software, and keeping lists that identify attributes such as makes, models, and serial numbers on those various devices. But inventories should go beyond equipment and applications and focus on other areas, such as…
- Contracts, terms of service, and audit reports
- Patch management schedules
- Anti-malware, anti-virus, and intrusion detection applications, and
- Service-providers and vendor lists.
I go further into this within the article, but within these inventories firms should also consider periodic reporting of the inventories, like…
- Penetration test results
- Anti-malware and anti-virus scans, and
- Patch management reports.
Reports, like these, can provide valuable information not only to the CCO and ISO, but also to senior management to outline threat vectors, malefactors, and provide a holistic view on the state of the firm’s cybersecurity program to determine if things are working or if additional controls and resources are necessary.
CCO Buzz: Wow, that’s a lot to consider. But look at the time! We’ve barely scratched the surface of your article and there’s so much more I wanted to cover. But before we go, Adam, could you give our listeners a bit more insight before we sign-off?
Adam Stutz: Well I don’t want to give too much of it away, but of course. Within this month’s Risk Management Update, I cover additional areas that could help any firm prepare for a cybersecurity sweep exam, including Incident Response Planning, Governance, Training, and the conducting of a Cybersecurity Mock Audit. For more insight and information regarding the topic, please refer to this month’s RMU, “How to Prepare for a Cybersecurity Sweep Exam,” or contact our team at (619)278-0020 or at www.corecls.com.
CCO Buzz: Thank you so much for joining us today, Adam.
Adam Stutz: Absolutely, thank you.
CCO Buzz: Well that’s it for this week’s episode. If you’d like additional information, please check out our website at www.corecls.com. You can also follow us on Facebook, LinkedIn, or Twitter @CoreCls. Thank you, and we hope you tune-in to next week's episode of the CCO Buzz.