By Lisa McLaughlin, Information Security Officer
Today, cyber threats are real and ever changing. In response, regulatory rules must constantly evolve in attempt to mitigate this dynamic threat. In the first of this two-part blog series, we’ll take a look into the complex roles of in-house attorneys and security professionals, and how they are intrinsic to the success of your business by protecting your organization’s sensitive information.
Constantly changing regulation can create an internal headache or even crises for businesses. Without a strong program dedicated to proactively preparing for new regulations, cyber compliance challenges can overwhelm a business and prevent them from gaining market share, improve their brand perception, or control costs related to litigation fees.
At a recent Association of Corporate Counsel (ACC) seminar hosted by MasterCard in New York, industry in-house attorneys and security professionals gathered to discuss today’s threat landscape and how businesses can create cyber compliance programs to protect their information and systems. Here’s what we discussed.
Understanding the central factors of compliance and access privileges are imperative to creating an effective cyber compliance program and avoiding litigations.
- To devise an effective cyber compliance program, you need to understand the threat landscape. Monitor technology changes and media events to determine which threats carry risks that will negatively affect your business.
- Critically assess your company’s operation procedures and infrastructure. This assessment is especially important for the funds business sector. If your technology infrastructure is compromised such that you cannot execute trades, hedge your positions, price trades, track your market risk, initiate wire transfers, or respond to margin and collateral activity, you’re at risk for experiencing moderate to high losses, or going out of business, while also facing a slew of lawsuits.
- Be aware of and prepared for the regulatory demands surrounding confidential information. With all the data you collect, process, and store, it is best to assume that it’s both confidential and critical for operations thus subject to regulatory scrutiny and compliance. Make sure your cyber compliance program includes appropriate measures for protecting this data.
- Finally, acknowledge that the people who are running your business are a potential source of risk. Establish pre-employment processes such as background checks to verify previous employment, credit history, and criminal history. Create a set of company rules detailing appropriate vs. inappropriate behavior. Create agreements with employees around preserving client information confidentially and protection of company assets where client’s information will be stored and establish exit procedures for employees who terminate their employment with the company to ensure confidential information does not leave with them.
Organizations are lawfully required to safeguard customer data from both external and internal threats. But often times, the biggest threat to this data is also your company’s number one asset—its people. One way to mitigate this potential risk is to limit and track access privileges. How? Take an in-house lawyer perspective and think in terms of “could” or “would”.
Anticipate circumstances that “could” allow for the transfer of confidential information to a personal server, personal email address, or USB drive that could result in confidential information being posted on the internet for sale.
Just think. If your systems are open due to lacking access controls from the start, allowing successful infiltrate can allow for exfiltrate of information out of your systems, and unknown external third party coming from the internet can do the same. Know your risks of data leakage and reassess both the infiltrate and extrafiltrate tools allowed such as USB drives, external file sharing, or personal email sites.
Data Loss Prevention and Exfiltration controls have been an SEC focus area.
What you can control now: knowing who has access.
- Have rules and procedures. Review access. Follow the information.
- Have solid access controls at both the entry point from the internet into your network where information enters (gateway) and then leaves your network.
- Ensure your firewall settings have been configured to deny by default; only allow authorized traffic.
- Run systematic scans of information systems of externally facing web applications to identify publicly known vulnerabilities and have a remediation plan to address these known vulnerabilities. These scans should be consistent with industry guidelines and regulations such as HIPAA, 23 NYCRR 500, and Regulation S-P “Safeguards Rule.”
Arguably, these are all layers of controls that are placed throughout an information system and supporting infrastructure thus creating a deep defense of controls. To bolster the best practices listed above, review NIST security guidelines which seek to provide a well-balanced mix of technical and management controls.
At SS&C we perform risk management to assess the extent to which our layered controls reduce the probability and impact of threats. To learn how to prepare and strategize, look for our second blog in this series on protecting your company data.
The views expressed herein are those of the author and do not necessarily reflect those of SS&C.