The SEC has released new regulations on cybersecurity practices for registered firms. These regulations are collectively known as 206(4)-9 In this blog post, we’ll .outline the seven steps your firm needs to take to strengthen its cybersecurity posture and meet the expectations of regulators.
- Establish a Board-Level Cybersecurity Oversight Function
The first step is to establish a board-level cybersecurity oversight function. This doesn’t mean creating a new board committee devoted solely to cybersecurity (although that’s an option). Instead, it means assigning responsibility for cybersecurity governance to an existing board committee, such as the audit committee, and ensuring that the committee receives regular updates on the state of your company’s cybersecurity program. - Conduct a Risk Assessment
Your second step is to conduct a risk assessment to identify the specific cyber risks and threats facing your company. There are many different frameworks you can use for this purpose, but the SEC wants you to use the NIST Cybersecurity Framework because it’s well-recognized and widely used. Once you’ve identified your company’s specific risks, you can develop appropriate mitigation strategies. - Develop a Cyber Incident Response Plan
Your third step is to develop a cyber incident response plan. This should include both technical and non-technical components, and it should be regularly tested and updated. The plan should be tailored to your company’s specific risks and needs, but it should at least address communication protocols, data backup and recovery procedures, and employee training. Some firm’s include this as part of the firm’s overall BCP (Business Continuity Plan) while others draft a separate document to cover cyber related incidents. - Implement Access Control Measures
Your fourth step is to implement access control measures to restrict access to sensitive information on a need-to-know basis. This includes both physical and logical access controls, such as user authentication requirements (e.g., strong passwords) and least privilege principles (e.g., granting employees access only to the information they need to do their jobs). - Implement Data Loss Prevention Measures
Your fifth step is to implement data loss prevention (DLP) measures. DLP refers to any measure taken to prevent sensitive data from leaving your company’s network without authorization. This might include encrypting data in transit, implementing comprehensive activity logging, or deploying DLP software solutions. - Train Employees on Cybersecurity Procedures
Your sixth step is training employees on security procedures—including both technical procedures (e..g., how to spot phishing emails) and non-technical procedures (e..g., what to do if they suspect they’ve been breached). Employee training should be ongoing and should account for changes in threats over time. - Monitor Your Network for Suspicious Activity
Your seventh and final step is continuous monitoring of your network for suspicious activity using both automated tools (e.g., intrusion detection systems) and manual processes (e.g., periodic reviews of system logs and vulnerability scans). This will help you detect malicious activity quickly so you can take steps to contain any damage caused by a breach.
Following these seven steps will help your firm achieve compliance with the SEC regulations on cybersecurity—and make your organization more secure in the process! If you need assistance implementing any of these steps, MTradecraft would be happy to help!