Cybersecurity and cyberattacks continue to dominate the news and the regulatory landscape in 2018. It is projected that they will continue to remain prominent issues for financial institutions for the foreseeable future. To anticipate future cyberattacks is a near impossibility; however, financial firms can be better equipped for mitigating the consequences of a cyberattack through the establishment of robust controls and procedures to bolster the policies they have in place. One of the cornerstones of this mitigation is the formation of detailed and vigorous training and mentorship program. Through employee education, firms will have knowledgeable staff making informed decisions about cybersecurity issues and responding appropriately to cyber-incidents.
In this month’s Risk Management Update, we outline the reasons mentorship and training on cybersecurity are important components to a firm’s cybersecurity policy and offer tips and suggestions on executing a comprehensive cybersecurity training program.
The Importance of Cybersecurity Training
In August 2017, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released their Observations from Cybersecurity Examinations. One of the items that OCIE highlights as an element of robust policies and procedures is “mandatory employee training.” It cannot be overstated how vital informed employees are in acting as the first line of defense against possible cyber threats. It’s essential for firms to make sure employees remain informed about firm cybersecurity policies by having a vigorous training program in place.
Cybersecurity training should encompass (at a minimum) the following key components:
- Learning to identify cyber-threats, such as social engineering, phishing, viruses, malware and hacking;
- Implementing steps to develop good “protection” habits, including:
- reviewing encryption protocols with all employees
- mandating strong password policies
- performing data backups
- not disabling anti-virus/anti-malware software
- not using unauthorized devices to access your firm’s network;
- understanding cybersecurity policies and user responsibilities based on an employee’s job function;
- Providing employees with continuing education and up-to-date resources on cybersecurity and cybercrime prevention; and
- Outlining and reviewing requirements of the firm’s incident response procedures with all employees.
While there is no one-size-fits-all solution for each firm, training that focuses on these core elements should help ensure employees have the knowledge needed to be effective gatekeepers. Cybersecurity training can take many forms (e.g. webinars, live trainings, educational modules), but what matters most is that employees are receiving consistent, up-to-date training at least annually to learn about these topics. Furthermore, senior management should mandate that all employees in the firm, regardless of their position, receive proper training.
Cybersecurity mentorship is a great tool for improving employee awareness about cybersecurity and cyber-incidents. It can be extremely helpful to bring in experts, such as IT professionals and/or compliance consultants in order to impart in-depth knowledge about certain areas such as evolving cyber-threats and regulatory requirements. However, mentorship doesn’t just have to be provided by subject matter experts; it also can be provided by supervisors and/or managers who remain involved in continuing to educate staff regarding cybersecurity issues. Supervisors providing periodic updates about cybersecurity issues and regulatory news, as well as helpful tips and reminders, can go a long way in ensuring that staff members remain vigilant in their commitment to a firm’s cybersecurity policy.
The Effectiveness of Mentorship/Training for Incident Response
The success of a firm’s incident response plan (“IRP”) hinges largely on the individuals who are responsible for its implementation. It is incumbent upon the firm’s Information Security Officer (“ISO”) and the Chief Compliance Officer (“CCO”) to provide management, IT staff, and other vital employees with the tools necessary to address cyber incidents. Hence, consistent, detailed training and testing is critical to ensure that the IRP will be implemented effectively in the event of a cyber-incident, and the efficacy of each one of the items in an IRP depends largely upon the staff at the firm knowing whom to contact, what steps need to be taken during a cyber-incident, and what corrective measures need to be addressed in the aftermath.
Tips and Suggestions on Implementing a Cybersecurity Training Program
Below are some tips and suggestions on how to implement a Cybersecurity Training Program at your firm:
- Have senior management provide all employees with written notice via email that cybersecurity training is a required job function;
- Meet with new employees to provide and discuss cybersecurity policy and incident response plan;
- Provide and document annual in person cybersecurity training presented by the ISO, CCO, consultants and/or guess speakers (law enforcement or cyber experts etc.) and require review and written acknowledgement of cybersecurity policy and incident response plan;
- Perform periodic mock phishing tests and annual quizzes to help gauge employee level of knowledge and then provide additional training to any who failed; and
- Send periodic emails to employees providing up to date information on current cyberattacks and a reminder to be knowledgeable of the firm’s cybersecurity policies and protocols.
These are just a few suggestions that may help you in creating your own cybersecurity training program. Importantly, training programs should be customized based on the firm’s potential exposure to cyberattacks and vulnerability risks.
The anticipation and preparation for a cyberattack can feel daunting, but through proper training and education of employees, firms can help ensure they are positioned to prevent most events from happening and respond quickly and correctly if they do.
For more information on, or assistance with cybersecurity policies, incident response plans, and/or mentorship and training, please contact us at (619) 278- 0020, or visit us at www.corecls.com.
Author: Core Compliance & Legal Services; Editor: Tina Mitchell, Managing Director, Consultation Services; Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
 “Accenture Mid-Year Threatscape Report Identifies Five Global Cybersecurity Threats.” MarketWatch, MarketWatch, 7 Aug. 2018, www.marketwatch.com/press-release/accenture-mid-year-threatscape-report-identifies-five-global-cybersecurity-threats-2018-08-07.
 “Risk Alert: Observations from Cybersecurity Examinations.” SEC.gov, 7 Aug. 2017, www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.
 In the same risk examination, OCIE observed that a common deficiency was lax enforcement and accountability by supervisors for failure of employees to complete cybersecurity training.