7. Assess and encrypt
Advisory firms need to conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences, the SEC suggests in its risk alert. And if such assessments are conducted, the agency wants to know who conducts them — and, specifically, in what month and year the most recent assessment was completed.
Further, the SEC wants to know whether firms are making use of encryption.
“It goes from basic to complex,” Mr. Stanley said of advisory firms’ risk assessment and encryption practices. “How do you send and receive data? With penetration testing, a company can use software to detect when there are outside threats coming in from hackers. That software can be combined with firewalls and other tech tools behind the scenes to detect the health of the network.”