Key Considerations for Building a Strong Cyber Compliance Program
Last week, ACA hosted a regulatory breakfast briefing in Boston for our private fund adviser clients. I participated in a Q&A with ACA Senior Principal Consultant Mike Abbriano on what the SEC is looking for when they perform a regulatory cybersecurity exam, and how firms can build a best-in-class cybersecurity program that protects their data and keeps the SEC away. In this blog post I recap some key takeaways from the session.
Building Your Cyber Compliance Program
This may seem like a given, but above all the SEC wants to see that cyber is a top priority for your firm and that you have adequate cyber policies and procedures in place. Are you able to provide evidence of these policies and procedures being enacted if the SEC comes to your door?
Here are some ways you can bolster your firm's cyber policies and procedures:
- Create a culture of cyber compliance, starting with your board and upper management. Cyber and compliance should be top priorities across your firm.
- Conduct routine risk risk assessments to understand your weaknesses and what you need to address. This will help you build a framework for the policies and procedures that are appropriate for your firm.
- Conduct regular penetration testing and vulnerability scanning to identify and address risks before they become an issue.
- Conduct due diligence of your vendors (and portfolio companies, for private equity firms) to assess their cyber and technology risks.
- Implement reasonable access controls and segregation of duties (e.g., multi-factor authentication, email monitoring, managing individuals' access to systems) to mitigate the risks presented by employees. Employees should only have access to the information they need to know.
- Conduct annual (at a minimum) cyber awareness training for your staff, including periodic phishing testing. Make sure your staff are aware of the risks and what to look for.
- Implement a comprehensive incident response plan that addresses the actions your firm would take in the event of a cyber incident. Test the plan using a tabletop "role-play" walkthrough of the plan from beginning to end to make sure it's comprehensive and all players are prepared in the event of an actual incident. Going forward, track and document any cyber incidents, including remediation and mitigation steps taken, to demonstrate diligence in this area.
- Invest in your technology infrastrucuture. Technology is the backbone of your firm and its data. Actively manage your technology, and actively manage the security around it.
- Consider implementing best-in-class cyber technology, such as tools to monitor and prevent data loss and an intrusion prevention system (IPS) to protect your perimeter.
How ACA Can Help
ACA can help your firm assess its cyber and technology risks and implement adequate policies and procedures to protect your firm and data. Our solutions include:
- Cybersecurity and technology risk assessments
- Penetration testing and vulnerability assessments
- Cyber incident response planning and testing
- Vendor diligence and management
- Phishing testing and cyber awareness
- Portfolio company IT and cyber risk reviews
About the Author
Mike Pappacena is a Partner based in New York for ACA Aponix, ACA Compliance Group’s cybersecurity and risk division. In this role, he performs cybersecurity risk assessments, conducts vendor due diligence, and contributes to policy authoring, staff training, and product development. Prior to ACA, Mike served as a project manager for Jefferies LLC and worked on several compliance initiatives. In addition, he spent fifteen years at Goldman Sachs, where as a vice president in the Technology Division, he managed development teams supporting the firm’s Legal, Compliance and Audit, Sarbanes-Oxley, Operational Risk, and Technology Risk departments. He also managed Fundamental Equities and Alternative Investments in the GSAM division. Earlier in his career, Mike worked as an engineer at Long Island Lighting Company (now PSEG). Mike earned his Bachelor of Electrical Engineering degree from the Pratt Institute and his Master of Business Administration degree (Finance concentration) from Adelphi University.