Navigating the regulatory maze

Last year's SEC 28-point security Risk Alert triggered a wave of regulatory compliance reports and requirements that have transformed the way the industry thinks about cybersecurity. The big breach stories of 2014 made the topic unavoidable in the boardroom and a top priority on the legislative slate.

Initial findings released after the SEC’s first wave of cybersecurity examinations revealed staggering facts: of the 106 firms inspected, 88% of broker-dealers and 74% of advisers examined experienced a cyber attack either directly or through one of their vendors.

As a result of these initial examinations, the SEC and FINRA last February released a series of recommendations. These recommendations are intended as interim guidance while the SEC and FINRA continue to build out a formal compliance framework.

Without a doubt, these recommendations are essential (and fundamental) cybersecurity considerations, however many firms have found it difficult to navigate the maze and determine which points are applicable to the unique requirements based on their firm’s size.

Recognizing that the recommendations aren’t a one-size-fits-all guide, eSentire recently published a pragmatic document categorizing considerations for varying sizes of firms, building on three specific measures highlighted in the SEC findings. While they don’t necessarily form an explicit list of what firms should do to fulfill their duties when it comes to information security, it’s important to be able to identify which of the recommended facets apply to your firm and its unique size. The three measures focus on:

1. Periodic Cybersecurity Assessment
2. Detecting and Responding to Cybersecurity Threats
3. Documented Cybersecurity Policies and Procedures

The SEC Matrix from eSentire takes these three measures into account, divvying them for firms with AUM under $1B, between $1-5B and firms with over $5B in AUM. While each class has very unique considerations, it’s important to regard the lists as additive; as firms move higher on the scale they shouldn’t just consider the list prescribed for larger funds. It’s important that larger funds review and consider recommendations for smaller funds too, as those measures are critical for funds of all sizes.

The document is a pragmatic security to-do list that helps ensure that as you’re continually augmenting your cybersecurity defences you’ve got peripheral compliance considerations covered too. To view the complete lists and pragmatic checklist download your copy of the SEC Matrix today.