Is Your Firm Prepared for the SEC's Cybersecurity Exam?
Financial services firms are scrambling to implement better cybersecurity practices in preparation for the SEC’s increasingly aggressive risk and privacy examinations.
The SEC has found many companies’ cybersecurity measures are woefully lacking.
In a risk report this year, the SEC described numerous incidences of insecure customer information, incomplete incident response plans, and poor employee training.
Unfortunately, we often see many large consulting firms guiding small financial firms by pushing the NIST Cybersecurity Framework; an impressively vast set of hundreds of cybersecurity measures that can take years to fully implement. However, what these companies need is improved cybersecurity right now.
A better starting point for small and medium businesses looking for immediate results is the CIS Controls, a set of 20 prioritized measures that can vastly improve your cybersecurity in a short period of time. Implementing just the first five Controls has been documented to prevent 85% of cyberattacks, while completing all 20 raises the effectiveness to around 97%.
With CIS Controls in place, companies can protect themselves from both cybersecurity breaches and SEC penalties.
Once all the Controls are in place, an IT firm can address company-specific security gaps for even greater protection.
If companies have the time and money, implementing the NIST Framework is still a useful long-term strategy. In fact, the CIS Controls are a great starting place for an eventual adoption of the Framework. But the first priority should be to focus on the most effective, practical strategies that offer the most immediate results. For that, nothing is better than the CIS Controls.
For a CIS Top 20 evaluation and support on implementing these controls, call or email Business Technology Partners. Our team will help you batten the hatches and prepare for the possibility of an SEC examination.