The U.S. Securities and Exchange Commission (SEC) stresses a “culture of compliance” as being key to helping firms avoid a costly data breach and resulting fines. Why is this important? Too often, compliance is only considered when a firm is audited, and as recent breaches have proven all too well, compliance does not necessarily equal security. Here are 3 of the top components that should be evaluated:
1) Adherence to technology best practices – The Office of Compliance Inspections and Examinations (OCIE) administers the SEC’s nationwide examination and inspection program. OCIE launched a cybersecurity initiative in April 2014 and has provided a list of technology-related policies and documents that should be maintained, network controls that should be in place, and recommendations for reviewing 3rd party vendors and monitoring the firm’s network to detect anomalous activity.
2) Resources – Is the compliance program adequately funded, or is there disparity in the firm’s position on maintaining compliance vs its investments in resources to make sure that happens?
3) Is the Compliance Program dynamic? Threats to cyber security are always evolving, and the protections also need to evolve and be regularly tested to confirm that the technical controls are working, modified as needed, and enforced. Ongoing evaluations of third party vendors is especially key as some of the major breaches have been via third parties who did not have the same level of cyber security controls in place as the target of the attack. Two recent examples were a major oil company who was hacked via an online Chinese menu that their employees frequently used, and the Target breach via the retailer’s HVAC vendor. Roughly 25% of breaches have been attributed to third parties, but the figure is likely much higher as some breaches go undetected, unreported, or are not investigated thoroughly to determine the source.
It’s understandable that it’s difficult to audit yourself, and that your firm’s main focus is achieving the financial goals of your clients. Determining where you have gaps in protection and assisting with ongoing compliance requirements can be outsourced to our firm as an extension of yours.