Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News October 19, 2015 Issue

Assess Cybersecurity Risks Before Creating Policies and Procedures

Make sure you put the cart before the horse when you take your first steps in protecting your firm from cybersecurity attacks.

That first step, by necessity, must be determining just where your firmís areas of cyber vulnerability are. These may be different per size or type of firm. Large advisory firms, for instance, most likely have more sophisticated computer systems and software than do small ones, leaving more areas of vulnerability. Small firms, on the other hand, may have systems or software that are easier to penetrate and hack.

The best way to determine where your firmís cyber risks lie is to conduct a thorough risk assessment. Only when such an assessment is complete can you feel relatively confident about the areas where cybersecurity policies and procedures will need to be created and then implemented.

Why is a risk assessment necessary? "When it comes to IT risk and cybersecurity, itís really a vast area and typically not an advisory firmís area of expertise," said ACA Aponix principal consultant Pascal Busnel. "IT†encompasses all parts of a business these days," he said, adding that cybersecurity risk assessments should be performed by people who understand IT risk and can assess a firmís business and work flow.

Performing a risk assessment prior to or in connection with creating cybersecurity policies and procedures is "necessary," said Sutherland partner Brian Rubin. "The regulators are focusing on this during exams. Itís part of the cost of doing business."

"Your risk assessment should help you evaluate your firmís conformance with current standards and†expectations," said Karen Aavik, first vice president and wealth management compliance officer at Buffalo, NY-based First Niagara Financial Group, who spoke on the subject at a recent industry conference. "It should also help you prioritize cybersecurity needs by evaluating how effectively your firm is mitigating the threats posed to its data through the use of existing policies, procedures, frameworks and processes."

The steps she identified in creating an effective risk†assessment include:

  • Determining what data your firm has, where it is stored, who has access to it, and what needs to be protected;
  • Identifying risks and threats to that data; and
  • Evaluating the impact of a successful cyber attack.

"As the steps suggest, the process of conducting a risk assessment is highly collaborative, requiring you to†engage personnel across your firm in order to ensure that the end product is comprehensive and accurate," Aavik said. She organized the needed steps into three categories: pre-assessment, implementation, and follow-up.

Following are best practices suggested by Aavik in†implementing a cybersecurity risk assessment, with†additional comments from Busnel and Rubin, as indicated:


  • Evaluate whether you have the requisite skills/knowledge to conduct the risk assessment. If not, consider bringing in someone from the outside. "Itís hard to know what you donít know, unless you have a background in IT or cybersecurity," said Rubin.
  • Establish board/senior management support for the initiative and subsequent enhancements that may be required. "It only works if support comes from the top down," said Busnel. A cybersecurity committee that includes compliance, IT experts and upper management will help to ensure this, he said.
  • Identify and engage key contributors to ensure their roles and responsibilities are clearly understood, and that all areas across the firm have been fully mapped out and taken into account. "Certain people may have certain responsibilities during the pre-assessment, such as marketing," said Rubin. "If your firm is using outside vendors, you will want to know how marketing works with that vendor, what the vendor agreement says in regard to cybersecurity, [and] make sure that they are protecting personally identifiable information or company trade secrets."
  • Develop a document, such as a spreadsheet, that†enables you to see the firmís entire cyber risk picture in one place.
  • Develop a uniform scale/thresholds that enable you to better quantify risks, establish priorities and communicate with key decision makers.
  • Evaluate/incorporate regulatory guidance and†industry best practices in the structuring of your risk assessment.


  • Incorporate both internal and external threats†(including those posed by vendors) to your data.
  • Prioritize your firmís data, focusing most on identifying and addressing official information, assets and legally protected information. "A firm needs to know where its crown jewels are," said Busnel, and that may differ from firm to firm. "Individual firms have a different take on what they consider sensitive, what they consider their secret sauce, what they would not want getting out."
  • Consider administrative, physical and technical risks and safeguards that impact your firmís electronic data. "People tend to forget about physical issues, which can be as important as technological ones," said Rubin. "Who has access, how do you know whoís coming in or going out." Busnel noted that firms should "make sure that whatever actions you require are documented. You canít just say, when a problem comes up, ĎGo ask Joe.í There must be a written road map to follow."
  • When evaluating the impact of potential attacks, be sure to take into account both quantifiable (e.g.,†financial) and unquantifiable (e.g., reputational damage) considerations.
  • Actively engage business partners who are in a position to know both the strengths and weaknesses of various electronic platforms.
  • Be methodical and ask enough questions to ensure that you have identified all systems/locations where electronic data may reside.
  • Provide regular updates to key parties throughout the duration of the assignment, and give "off-cycle" notification regarding any acute issues/gaps to the board/senior management. "If red flags you didnít consider before come up or if gaps to implementation appear, update the risk assessment," Rubin said.


  • Develop and communicate an action plan based on the results of the risk assessment, focusing on those items that represent the greatest risks first. Often, firms will want to go after the "lowest hanging fruit," Busnel said. These are items that usually are high risk but low cost, and relatively easy to fix. When there are high risk items that are high cost, firms may want to prioritize them, but create a road map for completion over a designated period of time, he said. "You have to do what is realistic and actionable."
  • Assign owners to each action item, as well as deadlines, to help ensure progress is consistently made.
  • Provide periodic updates to the board/senior management, and clearly identify areas that are not†addressed and/or are considered to be items that can be addressed at a later date.
  • If identified enhancements impact the day-to-day activities of one or more of your firmís employees, make sure that employees are advised of, and properly trained on, the changes.
  • Incorporate the results of your risk assessment into your cybersecurity program (as appropriate).
  • Find a way to stay connected to changes within your firm that may impact your risk assessment Ė know what your firm is susceptible to, based on the business you conduct, systems/technology utilized, etc. "The risk assessment is a snapshot and to the extent business changes, systems change, someone has to be aware of the impact of the change on the risk†assessment," Rubin said.
  • Plan for a periodic refresh of the risk assessment, adding new industry threats, incorporating incidents, etc., as appropriate. "You canít just set it and forget it with security," Busnel said.