Examinations focusing on Cyber for brokerage and securities firms
The banking industry has traditionally been the poster child of regulation. I’ve been dealing with federal and state regulators since I started in the industry back in the early 90s. I can remember one of my first “IT Examinations” back in 1995 – the examiners at the time were more interested in getting up to speed on the rapidly evolving technology than they were with being able to provide direction to the bank. Those days are definitely over and many very talented and skilled examiners now exist at every agency that regulates banking.
Review of technical controls back then may have been a bit of a joke, but nowadays, it’s no laughing matter, which is evident by the ramping up of cybersecurity by the examination body that regulates brokerage and securities firms – the OCIE. For years, the examination effort spent on IT was marginal at best.
Last year around this time, the OCIE came out with a Risk Alert that stated that they were going to be focusing their efforts on cybersecurity. They published a document that outlines the key areas they will be covering in their examinations going forward.
Glancing through the appendix of this document, the traditional banker wouldn’t bat an eye, but if you are a small securities firm, this is something that will likely give you pause. It discusses such topics as periodic assessments, vulnerability scans, and policies. These are not typically a problem and can be put in place rather quickly, but what about nebulous areas like data mapping, data classification, risk management, vendor management and incident response? That’s a heavy weight on the shoulders of a small IT staff – especially if most of those terms are unfamiliar!
Peters & Associates can help you put together a strategy for understanding where the gaps are and executing the project to close those gaps. Compliance initiatives are something we work with continually across many industries. Contact us today for more information on our expert consulting and security solutions at firstname.lastname@example.org.