Firms registered with the Securities and Exchange Commission (“SEC”) are mandated by Rule 206(4)-7 (“Compliance Rule”) to perform an annual review of their policies and procedures, and a key component of a firm’s annual review should include cybersecurity testing. Cybersecurity remains a top examination priority of the SEC’s Office of Compliance Inspections and Examinations’ (“OCIE”), with OCIE recently embarking on the third wave of cybersecurity sweep examinations. In light of this fact, it is essential for firms to prioritize the review of their cybersecurity programs, and incorporating cybersecurity testing into the annual review process is an efficient way of verifying that a firm’s cybersecurity policies and procedures remain adequate and effective.
In this Risk Management Update, we discuss considerations for structuring cybersecurity testing and provide examples that Chief Compliance Officers (“CCO”) and/or Chief Information Security Officers (“CISO”) can implement.
Resources for Structuring a Cybersecurity Testing Plan
Because cybersecurity is such a crucial component of a firm’s compliance infrastructure, it is important for firms to consider certain key areas of their cybersecurity program before initiating testing. These include:
Policies and Procedures: A review of the firm’s cybersecurity policies and procedures will lay the framework for creating a testing plan as the CCO proceeds with the annual review.
When reviewing a firm’s cybersecurity policies and procedures, determine whether the following subject areas have been addressed:
- Identification of Common Cyberattacks
- Appointment of the Firm’s CISO
- CISO Responsibilities
- Systems Users’ Responsibilities
- Protection Requirements and Data Loss Prevention
- Access Rights and Controls
- Vendor Management
- Incident Response
- Penalties for Violations
- Training and Additional Resources
- Annual Risk Assessment
Risk Assessments: A risk assessment should be performed at least annually. At a minimum, the risk assessment should cover the following:
- Governance of the program;
- Cyber risks surrounding firm systems;
- Strength of controls pertaining to access rights, data loss and incident response;
- Vendor due diligence process; and
- Training of employees.
Cybersecurity risk assessments are valuable tools to identify gaps in a firm’s cybersecurity controls and are a central component of the testing process because they can guide the CCO in determining which areas of the cybersecurity program are high-risk and therefore require heightened attention. Moreover, CCOs can use the risk assessment to guide their line of questioning during interviews with their IT departments and/or IT service providers.
IT departments and/or vendors can be valuable assets to CCOs and ISOs during their testing process by providing them with technical assistance and documentation on items such as the Firm’s data loss monitoring; monitoring data transfer protocols to external third-parties; reviewing cloud storage security; deploying and documenting patch management updates; assisting with data mapping, and software and hardware inventories; and, participating in mock incident response exercises by simulating the identification, containment, eradication steps of the incident response plan and documenting their findings.
By engaging IT, the CCO and/or CISO will be able to create customized tests that address specific areas of their cybersecurity program that may not be receiving enough attention.
SEC Risk Alerts: In recent years, the SEC’s Division of Investment Management and OCIE have released a number of risk alerts detailing the most common issues observed during focused cybersecurity exams and guidance on the components of a strong cybersecurity program. Some of the areas that this guidance highlight include:
- Strategies designed to prevent, detect and respond to cybersecurity threats;
- Strategies for implementing policies and procedures and mandatory training;
- Performing periodic risk assessments;
- Maintenance of an inventory of systems, data, and vendors;
- Maintenance of prescriptive schedules and process for testing data integrity and vulnerabilities;
- Established and enforced controls to access data and systems; and
- Engagement of senior management.
This guidance can be very helpful in designing testing protocols.
As with other areas of compliance, testing needs to be customized to a firm’s cybersecurity program. However, using the same testing methods of transactional, periodic, and forensic testing that’s used for testing other areas of compliance is important since they are an integral part of a firm’s annual review process and are designed to address various activity periods. In regard to cybersecurity, below are examples for each type of testing method:
Transactional Testing: Transactional testing is performed at the time of the activity, and when considering performing transactional testing with respect to cybersecurity, CCOs should think about what activities are occurring on a daily basis that involve “data transactions”. For example, a transactional test could involve monitoring daily data migration of files containing PII between the Firm and a custodian and verifying that security protocols are being administered properly at the time of transmission.
Periodic Testing: Periodic testing is performed at certain times/intervals and allows firm to evaluate how their policies and procedures are functioning over a broader period of time (e.g. a month or quarter). Consider building your periodic testing out of your firm’s cybersecurity policies and procedures. For example, look at any new hires at your organization within the last month to see if they completed their initial cybersecurity training and that their login credentials are set up properly. Another example is to make sure that all individuals who are conducting business through their mobile devices have registered those devices with the firm and documentation of their registration has been maintained.
Forensic Testing: Finally, forensic testing involves analyzing information over a longer period of time and looking for trends and patterns. For example, the CCO and/or ISO could work with IT to compare the Firm’s access rights for different file directories to determine if any restricted file directories were accessed by unapproved users and/or vendors and whether any files have been copied or moved to unrestricted file directories or external sources during the past year. Another example would include pulling the web histories for systems users for the same period and reviewing access to any restricted websites that contravene the Firm’s policies and procedures. If it was discovered that any systems users accessed any restricted sites, the CCO and/or the ISO could conduct an interview with the system user to determine if any data containing PII was shared to the restricted websites.
Annual review testing is crucial. As with any other area of compliance, the cybersecurity testing protocols utilized should be customized based on applicable risks and the facts and circumstances surrounding a firm’s program.
Core Compliance is providing a sample cybersecurity review checklist to assist CCOs with organizing their cybersecurity annual review testing. Please note that this checklist is a sample only and should be customized to a firm’s business enterprise and compliance program.
To download Core Compliance's Cybersecurity Review Checklist, click here.
Author: Adam Stutz, Compliance Consultant; Editor: Tina Mitchell, Lead Sr. Compliance Consultant Core Compliance & Legal Services (“CCLS”). CCLS works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
 This list should not be considered a complete list of items that should be covered by a risk assessment, and CCOs and/or CISOs should ensure that the risk assessment is tailored to their firm.
 Most recent are: “Risk Alert: Observations from Cybersecurity Examinations.” U.S. Securities and Exchange Commission, 7 Aug. 2017, www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.; and Division of Investment Management. “IM Guidance Update: Cybersecurity Guidance.” U.S. Securities and Exchange Commission, Apr. 2015, www.sec.gov/investment/im-guidance-2015-02.pdf.
 “The Art to Performing Annual Reviews.” Core Compliance & Legal Services, Inc., Oct. 2018, www.corecls.com/news-events/the-art-to-performing-annual-reviews.