SEC preparing to increase cybersecurity requirements

The Securities and Exchange Commission (SEC) introduced proposal that would require registered investment advisers and fund companies to implement written cybersecurity policies to address growing cybersecurity risks and “enhance cybersecurity preparedness,” said SEC Chair Gary Gensler. If approved, the policies would need to include the following:

• An assessment of the firm’s risks

• Controls to prevent unauthorized access to systems and data

• Incident-response plan detailing the mechanisms in place to detect, mitigate and respond to a breach

While many IT teams focus on the software needed for these types of requirements, creating procedures and policy is just as important. This is why we believe a full security framework is a necessity for every business. Here are a few things you can do to get started:

• Conduct an annual risk assessment, even if internal and informal. Walk through a couple example scenarios and try to poke holes in any solutions and plans

• Audit active user accounts and access rights quarterly

• Write an incident response (IR) plan that includes your cyberinsurance policy info and breach hotline

Looking for more information or need additional assistance? Let’s talk. Our monthly IT plans include a full security suite to protect your business, plus a CIO familiar with the financial industry to help with tasks such as risk assessment, due diligence forms, and policy writing.