2. Know your policies and procedures
In its April 15 risk alert, the SEC asked advisory firms to provide the month and year in which cybersecurity action was last taken, the frequency with which such practices are conducted and the group with responsibility for conducting the practice. Further, the SEC wants firms to provide a copy of relevant policies and procedures.
The point of all these policies and procedures, said Daniel Bernstein, chief knowledge officer at MarketCounsel, is to mitigate exposure to cybersecurity risks. For example, he said, advisory firms often fail to train staff routinely and consistently about putting a data protection plan into place. That plan should require portable storage devices to be encrypted. An obstacle: employees who walk out of the office door with unencrypted flash drives and mobile phones that can be lost or stolen.
It’s often there in the policies and procedures manual, but, ‘Hey, we’re dealing with everyday business life, and we just didn’t get around to that,’” Mr. Bernstein said. “One of the best solutions is you just don’t let people take that data away on their mobile devices. Do they really need a customer’s Social Security number on their flash drive?”