In a recent NSCP Currents article, Giselle Casella addressed what every compliance office must know about cyber-security.  One of the more compelling lessons was what can be learned from enforcement actions dealing with cyber-security. 

Cyber-security enforcement actions fell into the following groupings: 

  1. Inadequate security policies and procedures;
  2. Failure to enforce policies and procedures;
  3. Failure to conduct periodic cyber-security assessments;
  4. Failure to respond to cyber-security deficiencies;
  5. Failure to protect company networks and client information;
  6. Failure to protect non-public personal information;
  7. Failure to have an adequate firewall or anti-virus software;
  8. Failure to have adequate user access protocols;
  9. Inadequate oversight of third-party vendors; and
  10. Failure to adequately respond to cyber-attacks.

This list demonstrates that enforcement actions focus on every aspect of company life. 

For example, these actions focus on written policies and procedures, their existence and adequacy.  Taking the next step, these enforcement actions demonstrate that there is a focus on follow through; it is great to have policies and procedures, but you must follow them. 

Likewise, what is the security architecture at the firm?  Does the firm have adequate systems and software to stave off cyber-attacks?  Do you have proper oversight of third-party vendors? 

Even if you have the best policies and procedures, you may still be subject to attack.  In those instances, you are going to be reviewed for the adequacy of the response. 

In order to avoid these enforcement actions, it is important for firms to take a granular approach from the ground up.  Are you WSPs adequate?  When was the last time the firm tested its system for outside attacks?  What is your response plan in the event of a breach?   

If you cannot readily answer these questions, you are not prepared.  Learn from the mistakes of others, and take preventative action to make certain that history does not repeat itself.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.