SEC Announces Cybersecurity Policy Enforcement #CyberAware
October 6, 2015
President Obama has designated October as National Cybersecurity Awareness Month. This week, we will be shining a spotlight on cybersecurity examinations for businesses and business owners. Herjavec Group is sharing a summary of the SEC’s latest release where the commission highlighted the six target areas for its future cybersecurity examinations. All businesses should be #CyberAware
In late September, the Securities and Exchange Commission (SEC) charged an investment advisor for failing to have adequate policies and procedures in place to reinforce the protection of customer data. To date, the Commission’s examinations have been focused on registered broker-dealers but it is believed that the SEC’s development of six target areas for the focus of cybersecurity examinations will lead to a greater standardization across cybersecurity audits, assessments and examinations for businesses of all sizes.
The following six target areas relating to cybersecurity examinations have been identified:
- Governance and Risk Assessment
- Access Rights and Controls
- Data Loss Prevention
- Vendor Management
- Incident Response
Governance and Risk Assessment
This area of focus raises numerous questions for businesses and business owners. Do you have security policies, standards, and procedures? Are they being reinforced or even used? Is there a regular risk assessment being done to determine what risks currently exist? What are your escalation policies to alert the executive team once a threat arises? These are the questions a company must consider to reinforce responsibility across all levels of the organization.
Access Rights and Controls
Do you know who can access information within your organization? Do you know where your data and that of your customers is located at all times? Regular validations ensure the right people have the right access. If a person within your organization moves to another internal team, is there a policy for reviewing and updating access rights and is it being followed? Are you creating accounts by copying an existing account, potentially giving people greater levels of access than they require to perform their job? Creating a process to regularly validate access rights, with quarterly review, is beneficial to any company.
Data Loss Prevention
Data loss Prevention (DLP) is a strategy for making sure that sensitive or critical information does not leave the corporate network. DLP tools exist to block or record information is being moved, and to monitor who sends information where. The easiest way for a business to lose information is web mail. Once something is attached and sent, it cannot be recalled. In addition to the adoption of DLP software products, an organization should have procedures outlined in order to stop the dissemination of confidential or critical information. Examples include: disabling the use of unencrypted USB’s, disabling access to transfer files with email, or disabling the use of non-corporate cloud storage services.
Vendor Management (Third Party Management)
Otherwise known as third party management, vendor management is the mitigation of risk from any third party that can access your business environment. All third parties represent a cybersecurity risk to your organization. In the highly publicized breach of their customer data, Target reported to The Wall Street Journal that the initial intrusion into its systems was traced back to their third party HVAC contractors, through an electronic billing link.
It is imperative that all organizations know which vendors have access to their information and networks. The more you can limit or track what a third party is doing within your environment, the less likely an unauthorized event will occur.
You can have policies, procedures, and governance programs, but if the people within your organization don’t have a healthy awareness of their responsibilities in the protection of critical information, security precautions can be rendered ineffective. As cybersecurity professionals, it can be perplexing to see organizations that focus their efforts on investments in the technology space, while often ignoring and undervaluing the investment in their own people. Training should not be developed only to satisfy a regulatory or legislative requirement “check box”. Security awareness training should be scoped and managed as an ongoing initiative under the overall cybersecurity program.
It is not a matter of if you will be impacted by a security incident; it is a matter of when. Does your organization have a remediation procedure policy in place? Do you have a remediation service provider ready to act as soon as an incident occurs? Is your executive team prepared for a security incident and the resulting communications to customers, employees, shareholders and vendors? On-site presence is critical to managing an incident, interacting with management and ensuring a swift return to standard business operations. A good place to start your incident response plan is reviewing The NIST Cybersecurity Framework.
The Risk Alert issued by the SEC exemplifies how the government will continue to evaluate and even potentially regulate the sphere of cybersecurity. The release also highlights that technical controls are only one aspect of security. Organizational and administrative efforts, including governance, training and vendor oversight, are also crucial in order to mitigate risk.
Herjavec Group recommends that organizations review these six areas of focus and ensure the appropriate policies, procedures and guidelines are in place in advance of an incident’s occurrence. Review our Ten Point Plan for Security Preparedness.
View the 2015 SEC Risk Alert here.