Cybersecurity
You can download a full copy of the slides from this webinar.
Full video transcript available below:
Hello and thank you for joining today's webinar Best Practices to Master an SEC Exam. Our presenters today join us from Northpoint Compliance, Victoria Hogan and Colleen Montemarano.
As I was saying this is nothing new. I always think of cybersecurity to be, as for companies putting advisers ... oh here, I see it now ... advisers as to do [inaudible 00:45:02] it's even more important, but I always see in this the camp of when we go to our advisers or clients. We see this is handled internally by the IT department or by an IT consultant, but nevertheless, it's important that the CCO is communicating with the [inaudible 00:45:22] from the SEC and then with their IT department to make sure that anything new from the SEC that comes out, those ways to reduce risk, those new risks that come out, are being considered by the IT department or your priority service provider who handles cybersecurity.
|
|||
|
So, while this is a topic for the tech folks, it's your responsibility to make sure that, for example, here are where the examination focuses. You want to make sure that your cybersecurity policies and procedures will, first of all, for those 10% of folks that don't have them in writing or don't have them, develop them, obviously [inaudible 00:46:00] in writing and when you do so, you want to make sure that these six points here are addressed in your written cybersecurity plan. And remember too, this is not just like an SEC type of risk, as well, but it's a reputation risk. Imagine if your firm is affected by a cybersecurity incident, imagine having to tell your clients about that. Also, it would be embarrassing and won't reflect well upon your firm. You want to make sure that ... I don't have to name these six bullet points here ... but, they were specifically listed in the 2018 Exam Priorities.
|
|||
|
One thing I would pull out would be some of the cybersecurity folks that I speak to is that training is so key. Training really is one of the best things you can do to prevent a cybersecurity attack. Something we've seen our clients do, which I think it's pretty kind of ... I don't know how do you call it, but it's interesting is, they've internally sent out emails, and even the CCO doesn't know what email is going to be, but they the IT service provider provide an email that's really like a pretend phishing scam, and then see how many of the employees click on the link they're not supposed to click on or something else, do something else that could compromise the system. And those folks that do click on it, a report comes back and the folks have to sit there like half hour of additional cybersecurity training. I think that's a great tip, and it's something we've seen happen with our clients.
|
|||
|
And then finally, as the CCO, you want to make sure ... This is what the SEC will be looking at ... that anything you say that you do in your cybersecurity plan, you actually are doing. So, if your cybersecurity plan says you do penetration testings, you want to make sure that you're actually doing that, because then the SEC could say, an SEC examiner would say that you are not complying with your internal controls, and so, this is a weakness in your internal controls.
|
|||
|
So again, this is a hot issue. It's nothing new, but yeah, put it in writing, and also make sure that you're covering the topics that were discussed by the SEC in the 2018 priorities. |
|
This webinar was co-hosted with Victoria Hogan and Colleen Montemarano of NorthPointCompliance.com |
Request a demo today to learn how MyComplianceOffice puts you in command of your compliance program, synchronizing your business needs with regulation.
