The Friday List: The 12-Step Cybersecurity Program

Today, we offer our “Friday List,” an occasional feature summarizing a topic significant to investment management professionals interested in regulatory issues. Our Friday Lists are an expanded “Our Take” on a particular subject, offering our unique (and sometimes controversial) perspective on an industry topic. The term “cybersecurity” may be more of a buzzword in investment management than performance, fiduciary or robo-adviser.
- Identify location of confidential information. Conduct an internal assessment of the location of confidential information and who might have access.
- Restrict access: Passwords should be specific to each employee and should require updating on a periodic basis. Also, make sure to shut down access for exiting employees.
- Monitor for intrusions: The IT function should add intrusion monitoring as part of the virus and security protocols. Also, IT should report multiple log-in failures.
- Prohibit removable storage media. Also, create a hardware environment that makes it difficult to use such media.
- Limit devices. Only firm-approved and encrypted devices should have access to the network/system.
- Test vulnerability. Hire an IT firm to perform a vulnerability assessment and conduct penetration testing.
- Evaluate vendors. Ensure vendor selection includes cybersecurity due diligence. Create ongoing monitoring and reporting system.
- Report to Management. Add cybersecurity as an agenda item to every management and compliance meeting and include reports from IT and Compliance.
- Appoint somebody accountable. One person should own cybersecurity compliance across the organization, whether that person resides in IT, Compliance, or Operations.
- Create response plan. The response plan should include requires notices to clients and regulators and how to patch vulnerabilities.
- Consider cybersecurity insurance. Determine if a cybersecurity insurance policy will protect the firm against a catastrophic event.
- Implement policies and procedures. Develop policies and procedures governing all of the above and annually test whether they are being followed. Also, ensure ongoing employee training.