Last week, the SEC issued a Risk Alert, announcing that they will continue to assess cybersecurity risk and preparedness among brokers/dealers, investment advisors, and other financial institutions. The release details several focus areas for these exams. Here are a few highlights:
Governance and Risk Assessment: Examinations will assess whether businesses are evaluating cybersecurity risks, and whether or not there are appropriate controls in place.
Access Rights and Controls: The SEC will look to see how businesses manage access to systems and data through user credentials, authentication, and authorization.
Data Loss Prevention: Examiners will assess how businesses monitor the volume of data transferred outside of their networks by employees and third parties.
Vendor Management: Recognizing that some of the largest data breaches over the last few years have originated from the hacking of third parties, the SEC examiners will also assess businesses’ practices and controls for vendor management. Specifically, examiners will look at vendor selection, contract terms, monitoring, and oversight of vendors.
Like many financial regulators, the SEC is focusing on vendor risk management. Last month, US law enforcement officials, along with the Securities and Exchange Commission, announced the indictment of 35 individuals who hacked into earnings press statements prior to their release. Armed with this insider information, the traders made more than $100 million in profitable trades before the earnings became public.
The case is a perfect illustration of how complex third party security has become - data breaches affecting critical vendors, contractors, and other business associates can have a material impact on your business. These newswires were not likely critical vendors for the businesses affected by insider trading, yet they held highly sensitive data.
Third party data breaches have affected multiple industries this year. The compromise of two background check providers for the government was an integral to July’s breach of the Office of Personnel Management (OPM).
Commercial enterprises continue to struggle with vendor risk management. Recently, CVS confirmed a data breach of their photo service, which remains offline after hackers allegedly breached PNI Digital -- a third-party vendor that manages the photo website.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...