San Francisco Roundtable Summary
The San Francisco Compliance Roundtable held its meeting focused on cyber-security on September 18, 2015. Alan Raul (partner, Sidley Austin), Tom Snyder (co-founder, Xantrion, Inc.) and Rebecca Pearson (SVP, FINEX North America Cyber & E&O Team), were on hand to share their knowledge and expertise. Hardy Callcott and Sidley Austin hosted the event and Oyster Consulting’s Harriet Britt assisted with the discussion.
Mr. Raul discussed the regulatory landscape, and the group discussed the OCIE examination program for cyber-security recently released by the SEC. The Roundtable also discussed the FTC’s desire to become the regulatory overseer of information security.
Mr. Snyder offered suggestions about the most basic steps firms should take to protect themselves. These include ensuring that all payment instructions issued by a company are sent from a dedicated computer. This computer should be used for no other activities, and all payment instructions must include a two-step authentication process.
Ms. Pearson and Mr. Snyder discussed identifying your firm’s risk profile and the cost of covering that risk with insurance. There are actions a firm may take that will reduce its insurance costs. Your firm will also be able to better target spending on technology efforts to protect the firma and its clients after identifying risks and engaging in a discussion with an insurance provider.
The Roundtable participants agreed that while a CCO can oversee the development of a cyber-security program or plan, IT must take the lead in the bulk of the work. Often a firm’s IT department will have already developed strong protocols, but nothing will be documented. If penetration or other types of testing have been conducted, often the plan for the test and the test results are not documented. It is essential that this documentation be created, and it may be necessary to bring in a third party to accomplish the documentation and assist with enhancing already existing processes.
The Roundtable also discussed the need to manage employees and employee-related risk. Training of employees must take place, but just as important is the need to manage the onboarding of and separation of employees. Ensuring that potentially disgruntled employees are separated appropriately is important, as is eliminating access points to employees who are terminated. Make certain that as employees are promoted or moved from one department to another, their access is also altered as appropriate. Mr. Snyder also made the point that it is almost impossible to terminate system access to IT employees or contractors who have complete administrative access. It is essential that new hire diligence be completed.
Participants asked questions about requesting diligence from vendors, especially large, well-known firms such as clearing firms. Those firms will have conducted the appropriate internal audits and have the necessary documentation to support the work done. Your firm’s clearing firm or custodian will be prepared to offer those audit reports and discuss their processes. It may simply be a matter of finding the right person to ask.
For more information on the San Francisco Roundtable or the topics covered, contact email@example.com. For more information on how Oyster Consulting can help your firm mitigate risk, please click on the following links: