One of the first questions on the SEC’s cybersecurity questionnaire for financial firms asks firms to "indicate whether they conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences", and if so, who conducts them and how often. Clearly the goal behind this question is to ensure that firms are taking a proactive approach to security. But what exactly does this risk assessment entail?
Here’s a quick overview.
The type of risk assessment typically associated with information technology and cybersecurity is an external vulnerability assessment. Essentially, this is the process of identifying and categorizing vulnerabilities related to a system or infrastructure. Typical steps associated with a vulnerability scan or assessment include:
Identifying all appropriate systems, networks and infrastructures;
Scanning networks to assess susceptibility to external hacks and threats;
Classifying vulnerabilities based on severity; and
Making tactical recommendations around how to eliminate or remediate threats at all levels.
As a best practice, Eze Castle Integration recommends that hedge funds and investment firms conduct external vulnerability assessments at least once per year. Many firms may opt for semi-annual scans, particularly if the firm’s technology environment is continually changing.
The true goal of the vulnerability assessment is to gauge the level of security a firm has in place to protect against external threats and cyber-attacks. Depending on the third party conducting the test, a firm may be ‘graded’ with a number or letter score or simply provided with a list of vulnerabilities and security recommendations. Here’s one example of a grading system associated with a vulnerability/risk assessment:
Excellent: The firm’s security exceeds industry standards and best practices, and overall the firm’s security was found to be in excellent condition with only minor, low-level security vulnerabilities discovered.
Good: The firm’s security meets accepted standards within the industry, and overall the firm’s security was found to be strong with only a few low and medium-level security risks identified.
Fair: The firm’s security is somewhat below current industry standards and moderate changes would need to be implemented to increase security and meet industry levels.
Poor: The firm’s security has significant deficiencies and is well below industry standard level. Major changes would need to be implemented to alleviate critical and high-level vulnerabilities and elevate the firm’s overall security program.
For any vulnerabilities identified as part of the assessment, a description of the risk would be included as well as any specific systems or networks affected and recommendations for how the firm can either remediate or alleviate the risk. Ultimately, these assessments and their corresponding documentation will serve to demonstrate a number of significant points:
A) that the investment firm is taking the SEC’s cybersecurity inquiry seriously and preparing for upcoming exams;
B) that investors can feel confident the firm is implementing policies and procedures to protect investor information and assets; and
C) that the firm is taking an overall proactive approach to security and business continuity.
Check out these other relevant resources: