If Ben Franklin were alive today, he would add cybersecurity to his famous quote “…in this world nothing can be said to be certain, except death and taxes.” Cybersecurity is top of mind in every organization in part because of the recent massive ransomware attacks, new federal and state regulations (including the New York Division of Financial Services’ Cybersecurity Regulation) and the upcoming effective date of the European Union’s General Data Protection Regulation (GDPR). There is no one-size-fits-all solution for organizations that want to shore up their cybersecurity vulnerabilities, but there are a lot of useful reports and advice from federal government agencies.
In July, the Federal Trade Commission (FTC) launched its “Stick with Security” initiative, which includes publishing business blog posts and other communications each Friday. These blog posts offer practical advice on how the FTC Act applies to data security, informed by the 60+ complaints and orders announced since the Start with Security handbook was first published, as well as lessons learned from investigations that have been closed by staff.
Other federal agencies, including the Securities and Exchange Commission (SEC), have also recently issued important guidance. In August, the SEC’s Office of Compliance Inspections and examinations (OCIE) published Observations from Cybersecurity Examinations, which describes lessons learned from 75 firms, including broker-dealers, investment advisers, and investment funds registered with the SEC, to assess industry practices and legal compliance issues associated with cybersecurity preparedness. The OCIE review noted improvement since its 2014 report, observing that most, if not all of these entities maintained cybersecurity-related written policies, conducted periodic risk assessments of critical systems to identify cybersecurity threats and vulnerabilities, and also conducted penetration tests and/or vulnerability scans. Most entities utilize some form of system, utility or tool to prevent, detect and monitor data loss as it relates to personally identifiable information and other proprietary data, and have processes in place for ensuring regular system updates, including installation of software patches.
While there was general improvement, the OCIE staff noted that a majority of entities examined had remaining issues with their policies and procedures, recommending the following:
- Reasonably tailoring policies and procedures with more practical guidance for employees based on their specific digital environment and implementation needs
- Regularly enforcing policies and procedures so that they match with actual employee practices
- Ensuring that software patches are applied and any legacy systems were replaced
- Remediating any known vulnerabilities or findings of penetration tests
The OCIE staff also highlighted certain policies and procedures that are the hallmark of more robust programs, such as:
- Maintenance of an inventory of data, information and vendors
- Detailed cybersecurity-related instruction relating to, for example, penetration tests, security monitoring and system auditing, access rights and reporting
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities, including patch management policies
- Established and enforced controls to access data and systems, such as implementation of detailed “acceptable use” policies, required and enforced restrictions on mobile devices, and required periodic logs from vendors
- Mandatory employee training
- Engaged senior management
These principles should not be a surprise to those who follow cybersecurity developments because these principles are largely based on existing sector-specific regulations, which include:
- Knowledge of the entities’ data assets
- Cybersecurity policies, procedures and controls
- Proactive cybersecurity activities
- Qualified cybersecurity personnel
- Breach preparedness and reporting
- Employee awareness and training
- Engaged senior management
Unlike death and taxes, which cannot be completely avoided, good cybersecurity practices – whether in the financial sector or others – can help protect companies from regulatory sanctions, reduce the risk of harm from cyber attacks, and, more importantly, retain the public trust.