4. Identify your firm’s specific cyber-risks
In Question No. 27 of its 28-question risk alert, the SEC asks: “What does the firm presently consider to be its three most serious cybersecurity risks, and why?”
According to Mr. Sundberg, the best way to identify and protect against such cyber-risks is to use the risk management process standards cited in Question No. 9. Those standards are issued by the National Institute of Standards and Technology or the International Organization for Standardization.