Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News December 7, 2015 Issue

Draft Cybersecurity Policies and Procedures That Fit Your Firm

One size doesnít fit all when it comes to drafting cybersecurity policies and procedures, an essential part of an effective cybersecurity program. While most need to be drawn with certain parameters in mind, they also need to be tailored to match the conditions and risks of your advisory firm.

"They have to be right-sized," said ACA Aponix principal consultant Pascal Busnel. "They need to take into account a firmís culture and work flow, as well as a firmís size. The larger the firm, the more complex it is, the more moving parts."

As a baseline, however, cybersecurity policies and procedures for any firm need to meet certain criteria, said Buffalo, NY-based First Niagara Financial Group first vice president and wealth management compliance†officer Karen Aavik, who spoke on the subject at a
recent industry conference. Cybersecurity policies and procedures, she said, must:

  • Be easily understandable;
  • Be readily accessible;
  • Encompass administrative, technical and physical considerations that impact your firmís electronic data; and
  • Be periodically reviewed and updated as necessary, but at a minimum annually.

Any drafting of cybersecurity policies and procedures, moreover, should be preceded by a cybersecurity risk assessment in order to determine your firmís areas of vulnerability (ACA Insight, 10/19/15).

Cybersecurity policies and procedures "will be one of the first items that SEC examiners will ask to see," said Sutherland partner Brian Rubin. In addition, he said, in the event of a cyber breach, policies and procedures will provide firms with a "game plan" to respond.

How to do it

Use the following best practices offered by Aavik, with additional comments by Busnel and Rubin, to ensure that the above criteria are met and that the finished policies and procedures meet your firmís unique needs and risks.

  • Do not use legalese. "Itís important that employees understand what the policies and procedures are saying," said Rubin. Busnel suggested that firms "make it easy to read. You have to understand your audience and how they think." Have "multiple eyes" look at draft versions of the policies and procedures, including from departments where the work involves communication, such as marketing and compliance, he said.
  • Make the finished policies and procedures available electronically in a centralized location. "If someone has to run around and rifle through cabinets to find them, thatís going to defeat the purpose," Busnel said. Any paper documents found may also prove to be out of date, so instruct personnel to destroy older versions. Electronic files in a central location can be easily updated and located.
  • Assign responsibility for the maintenance of each policy/procedure. "Itís important that there is†accountability, otherwise things could fall through the cracks," said Rubin. Busnel made the point that "someone has to take ownership and be on the hook for it." In some firms, particularly smaller ones, only one individual might be needed. In larger or more complex firms, however, responsibility might be divided among several people. Make sure that the individual(s) named are knowledgeable in the issues and areas covered and are in a position to influence change and establish accountability, said Aavik, adding that whoever is given responsibility should also ensure that he or she is advised of changes within the firm.
  • Establish roles and responsibilities for data ownership and employee privileges. This is separate from assigning responsibility for maintenance of all cybersecurity policies and procedures, said Busnel. "You want someone to own data security and employee privileges in terms of access, so that person can make sure that only the right people have access."
  • Create a schedule articulating when policies and procedures must be reviewed and/or updated to help ensure no documents fall through the cracks. "A firm, to be secure, is always addressing risk as a moving target," said Busnel. "Policies and procedures must always be updated to prevent their†decay." A schedule assigns accountability. "Itís putting a name and a completion date together. It must be an individual. If as task is left to a committee, it most likely will not be completed," he said.
  • Define and document a formal exception review and decision-making process that includes a review of corresponding risk controls. "There are always†going to be exceptions, for instance when someone needs to gain access, despite the existence of a firewall, in order to reach a file-sharing site," said Busnel. When the need for an exception arises, Aavik said that the process should require the firm to review and document the controls that it has in place to manage the risks associated with deviating from established standards.
  • Obtain board and/or senior management support and approval. Buy-in from the top makes the process "really work," Busnel said. Rubin noted that "the SEC has been clear that it is looking at governance, senior leadership and the tone at the top, as these can significantly affect the firm, its clients and its reputation. Senior leadership has to be part of the process."
  • Policies and procedures, while customized to your firmís business, must also address specific risks. "They should generally cover issues such as access controls, electronic data disposal, email security and retention, social media use, lost and/or stolen devices, the hiring process (background checks, credentialing), third-party providers, and other areas that represent reasonably foreseeable risks of data disclosure, misuse, alteration or destruction," said Aavik.
  • Provide either organization-wide or job title-specific training to help ensure compliance with core policies and procedures. Training done on a person-to-person basis typically works better than web-based training, which has the drawback of causing those participating to simply want it to be over, said Busnel. Aavik suggested that firms require employees to certify their commitment to abide by the policies and procedures, something Busnel agreed with. "You need to have them acknowledge that they have read the requirements, that they understand them, and that they will adhere to them," he said. "There can be no ambiguity."
  • Consistently enforce the provisions of your policies and procedures, and have an escalation process in place for violations. Such a process does not need to be negative, Busnel said. When an employee initially violates one of the policies or procedures, a simple reminder may do. "The goal is to re-educate the†individual." However, for those who repeatedly violate the requirements, escalation to more significant remedies may be necessary, he said.
  • Develop and implement monitoring mechanisms to ensure ongoing compliance with key policies and procedures. Look into purchasing third-party software that allow electronic use to be monitored, Busnel said.
  • Establish reporting to the board and/or senior management regarding policy and procedure violations, breakdowns in processes, and other issues, highlighting areas that represent significant risks to the firm. It is essential, Busnel said, that "the key people in the firm seriously want to address cybersecurity risks." One way of maintaining buy-in from upper management is to keep them informed, he said, particularly because "risks are always moving." In addition, noted Rubin, the board and senior management should be aware of any challenges so they can provide adequate resources to address them.