It just happened. You cannot believe it. You’ve had a breach. You now need to report it to the authorities. You contact the FBI and they start asking questions: “Do you have a cyber program? Can we see it? Can you evidence what is written in your cybersecurity program?”
You are surprised since you thought they would ask questions about the breach. But no, they focus on verifying if you followed one of the most common policies in cybersecurity regulations: having a cybersecurity program. Out of these three questions, the last one is the most important: “Can you evidence what is written in your cybersecurity program?”
Lately, we’ve had our share of bad news covering financial services organizations being fined—not because they didn’t have a cybersecurity program, but because they could not show evidence of what they were supposed to do—or worse—they didn’t do what was written in their plan.
National Institute of Standards and Technology and After
How did we get there? Rewind to 2014 when the government, with the help of the public and private sectors, launched the NIST Cybersecurity Framework based on five simple but powerful functions: identify, protect, detect, respond and recover. This effective and descriptive approach replaced the vague recommendations of the pre-NIST regulations.
Then came new regulations from the like of the New York Department of Financial Services (NYDFS) and the National Association of Insurance Commissioners (NAIC). These regulations are far more demanding than their predecessors for firms of all sizes. Yes, an RIA firm, an independent broker-dealer or an insurance agency, now all have almost the same regulatory requirements to protect non-public information (NPI).
The CISO Role
As required by most cybersecurity regulations, a chief information security officer (CISO) must be named by the firm to develop, implement, manage and enforce a firm’s cybersecurity program.
Wikipedia goes deeper and defines it well: “A CISO is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing and maintaining processes across the enterprise to reduce information and information technology risks. The CISO responds to incidents, establishes appropriate standards and controls, manages security technologies and directs the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance.”
Wow—sounds like CISOs are busy!
Challenges with Cybersecurity Requirements
If you are still reading this, you may be a CISO or you may have the responsibility of the cybersecurity program. You may already have read some cybersecurity regulations, or you have to meet some cybersecurity requirements from enterprises with whom you are associated. In any case, what you face with these documents is typically a long list of paragraphs containing policies after policies. After you are done reading, you realize that to evidence compliance, you do not need just a document, you need a system.
Today’s Cybersecurity Program
To make sure you will “pass” your next cybersecurity audit—and also successfully answer the three questions from the introduction above—you need to seriously get your cybersecurity program together. Start by listing the cybersecurity regulations you must meet, and the requirements from enterprises you work with. From these, list all the required policies and assign them to a member of your team who is responsible to enforce it. Put the recurring policies in the calendar with a reminder. Finally, make sure you execute those policies and log your efforts as evidence. As you can imagine, a lot of work to be done.
The Easy Way
To enable the implementation and management of a cybersecurity program, FPA, in partnership with FCI, created a CISO training certificate specifically for financial advisers. It gives you a practical system that you will use during the training to create your own cybersecurity program, adapted to your needs and requirements. Register for the program today. Good luck!
Vincent Guyaux is the CISO at FCI.