Cybersecurity Polices and Best Practices: Complying With New SEC Rules
Most organizations maintain guidelines that govern their cybersecurity. But the SEC now wants firms to formalize their cyber risk policies and procedures. These measures should be achieved through written documents that establish responsibilities and workflows.
Such an approach is a cybersecurity best practice, because your plans, policies and procedures form the basis of all your cybersecurity efforts. The documents should be comprehensive to cover all aspects of your business.
Begin the effort by categorizing and prioritizing your cyber risks and aligning cybersecurity with your business model. For instance, if you rely on trading algorithms, the SEC will expect you to manage processes for secure application development.
Next, classify your business-critical information architecture and data assets. Don’t overlook this step, because it’s crucial to document your IT environment and understand all places your data resides. It’s the only way to be sure you’re securing that data on an ongoing basis.
Also identify service providers that have access to your data. Even if you outsource an IT platform or service, you’re still responsible for protecting relevant data. You also need to be able to continue the operation that investors rely on, even if service-provider systems go down.
Note that your IT infrastructure and the cyber threats against it will change over time. As a consequence, you need to make sure cyber policies and procedures remain up to date. Review formalized documents at least annually. If you change your environment – migrating to the cloud, for example – update procedures accordingly.
Access Management Best Practices
The SEC has long offered suggestions for how to manage data access. But for the first time the organization is being specific about best practices for access management.
That starts with acceptable use policy (AUP), a document that stipulates behaviors users agree to for accessing data. It also includes management of credentials at the end of projects or when offboarding employees. Be sure to terminate credentials whenever they’re no longer needed.
Also adopt the concept of “least-privilege access.” Users should have permissions to use only the information resources they require. The implement this, you’ll need a clear understanding of your data and systems, including software-as-a-service (SaaS) platforms. Security tools can help, but getting a handle on least-privilege access can take time.
The SEC also appears to be calling for multi-factor authentication (MFA), which many experts already consider a cybersecurity necessity. MFA combines what you know (a password), what you have (a device) and what you are (a biometric such as a fingerprint).
In addition, the SEC also wants you to understand your network perimeter. That used to be the four walls of your office. But with cloud computing, SaaS and a remote workforce, your perimeter is in constant flux. Helpful cyber solutions include a cloud access security broker (CASB) that monitors user activity and enforces security policies.
Note that secure remote access doesn’t apply just to employees. Contractors, partners and vendors also require techniques like MFA. And don’t neglect strong authentication for processes like wire transfers.
Taking the actions described here will help your firm prepare to comply with the final SEC rules. They’ll also equip your organization with cybersecurity best practices to safeguard your information assets.