To help reduce risk of a data breach and to protect you and your clients, the SEC issued new guidelines in April 2015 to help fund, investment and financial services companies design and implement an effective cybersecurity program. Here are some best practices to follow:
Schedule periodic assessments of your technology systems
Companies should review their technology systems on a periodic basis to identify potential vulnerabilities and to calculate the impact of any breaches that could occur. The assessment should cover the location, access and storage procedures for any information the firm collects, and should include an analysis of the actual need for any information collected and stored.
Along with identifying risks, the firm should ensure that it has appropriate security and controls in place, including strong firewalls and limited access to external systems. The assessment should validate that all technology security patches are installed and functioning properly, and that no breaches or unauthorized access attempts have occurred since the previous assessment.
Develop a prevention, detection and response plan
All fund and financial services firms should have a strategy in place to ensure that there is a means to identify security breaches that occur. This may include the periodic review of log files or creation of alerts for repeated access attempts from unauthorized users or IP addresses. Techniques for network hardening (means for reducing vulnerability in a computer system) should be incorporated to control access. This should lessen the risk of a breach occurring and limit the extent of damage should a breach occur.
Firms should consider implementing stronger user authentication (such as two-step authentication using passwords and physical or biometric credential validation); segregating systems or networks to limit access; placing restrictions on the use of removable storage media; using tiered access to information; and adding strong encryption of sensitive data.
Create written policies and procedures
Every financial services firm, investment advisory or fund company uses technology as an integral part of its day-to-day business. It is important to have a set of written policies and procedures to govern maintenance and use of IT and technology systems. Policies should not just cover the standard operating procedures but should also include procedures for identifying and handling security breaches or unauthorized access threats and attempts. The IT team should be trained and certified on their understanding of the procedures. Most modern secure data centers operate using standards such as ISO 27001 or SAE 16. Starting with one of these standards will help cut the time needed to develop your own in-house procedure manual and help ensure you don’t overlook any areas of vulnerability, diminishing your overall risk.
In addition to the IT team, users should also be governed by policies that inform them on how to create strong passwords, how frequently their password needs to be updated, and the use of personal devices or software on the network.
Once you have your procedures in place, you should conduct periodic reviews to ensure that your team is adhering to your corporate standards. This review is part of your periodic assessment, and it can provide peace of mind that you have done all you can to protect your data.
The need for cybersecurity is a fact of life, but it doesn’t have to be a burden. By creating simple but comprehensive standards, adhering to network management best practices and training your team to be alert to the signs of security breaches, you will have done all you can to protect sensitive data and to mitigate the risk of a data breach.
Contact us at (844) 409-1386 (Toll free US).