Our Take Blog

Home
Our Take Blog
The Friday List: The 12-Step Cybersecurity Program

The Friday List: The 12-Step Cybersecurity Program

cybersecurity

 

Today, we offer our “Friday List,” an occasional feature summarizing a topic significant to investment management professionals interested in regulatory issues.  Our Friday Lists are an expanded “Our Take” on a particular subject, offering our unique (and sometimes controversial) perspective on an industry topic.  The term “cybersecurity” may be more of a buzzword in investment management than performance, fiduciary or robo-adviser.

 

  1. Identify location of confidential information.  Conduct an internal assessment of the location of confidential information and who might have access.
  2. Restrict access: Passwords should be specific to each employee and should require updating on a periodic basis.  Also, make sure to shut down access for exiting employees.
  3. Monitor for intrusions: The IT function should add intrusion monitoring as part of the virus and security protocols.  Also, IT should report multiple log-in failures.
  4. Prohibit removable storage media.  Also, create a hardware environment that makes it difficult to use such media.
  5. Limit devices.  Only firm-approved and encrypted devices should have access to the network/system.
  6. Test vulnerability.  Hire an IT firm to perform a vulnerability assessment and conduct penetration testing.
  7. Evaluate vendors.  Ensure vendor selection includes cybersecurity due diligence.  Create ongoing monitoring and reporting system.
  8. Report to Management.  Add cybersecurity as an agenda item to every management and compliance meeting and include reports from IT and Compliance.
  9. Appoint somebody accountable.  One person should own cybersecurity compliance across the organization, whether that person resides in IT, Compliance, or Operations.
  10. Create response plan.  The response plan should include requires notices to clients and regulators and how to patch vulnerabilities.
  11. Consider cybersecurity insurance.  Determine if a cybersecurity insurance policy will protect the firm against a catastrophic event.
  12. Implement policies and procedures.  Develop policies and procedures governing all of the above and annually test whether they are being followed.  Also, ensure ongoing employee training.