Technology

OCIE Cybersecurity Update for Market Participants

February 2020

On January 27^th, the Office of Compliance Inspections and Examinations released an updated report on the requirements and industry best practices that market participants should be following in order to reduce their overall cybersecurity risk. Our team of cybersecurity experts have highlighted important factors from the OCIE report below.

Similar to other state-level requirements such as NYDFS.NYCRR.500 – the OCIE is recommending:

Senior Level Engagement

The board and senior leadership of the market participant should have visibility and insight into the overall cybersecurity strategy and state of cybersecurity within the company. This includes the completion of an annual enterprise risk assessment and periodic security testing such as penetration testing, vulnerability scanning, and reporting on vulnerabilities and improvements required to increase the maturity of the cybersecurity program.

Annual documentation and review of policies and procedures

Policies and procedures should be documented and reviewed annually. This includes the development of formal incident response and disaster recovery procedures. These resiliency plans should be tested annually.

Need to Know Data Limitations

OCIE is recommending that companies limit access to data and systems on a “need to know” basis.

Use Multi-Factor Authentication

MFA should be used where possible for all internal and external users.

Monitor System Access

Access to all systems, especially sensitive systems, should be logged and monitored.

Conduct Vulnerability Scans

Firms should conduct periodic vulnerability scans across their internal and external environments.

Protect Your Data

Data Loss Prevention (DLP) and Cloud Security Access Broker (CASB) should be used to ensure sensitive content is filtered, monitored and protected.

Monitor Malicious Behavior

Endpoint security should monitor for malicious behavior. Tools like MDR and EDR should be considered over more traditional Anti-Virus.

Understand and manage your assets

Asset management is critical, this includes understanding where data is stored and used while ensuring all systems are patched and kept up to date. Both company-owned and personal mobile devices should be monitored and secured using an MDM solution.

Training

Periodic cybersecurity training should be conducted.

Third-Party Evaluations

It is important to establish a vendor management system as third-party vendors must also be vetted for their cybersecurity posture. If you are using a vendor to manage your data or cybersecurity initiatives, it is important that you ensure the appropriate safeguards have been implemented on their end. High risk and critical vendors should be reviewed annually.

For more details about these best practices and OCIE observations for your company, read the OCIE report in its entirety.

For more information about the cybersecurity services Richey May provides to the alternative investments industry, please contact Steve Vlasak or visit our Richey May Technology Solutions.