2024 Cyber and Data Security Program Checklist
January 2, 2024
As you finalize your goals and planning for 2024, make sure that your cyber and data security program is a key component of your plan. As regulatory requirements continue to change, and as online hackers become even more sophisticated, it is absolutely critical that your cyber and data security programs meet industry best practices.
The checklist below outlines key components of a sound cyber and data security program, and may be helpful as you prepare for 2024. Also be sure to monitor for the latest regulatory changes, such as the SEC’s proposed Outsourcing Rule and the SEC’s proposed Cybersecurity Risk Management Rule. To receive regulatory changes and updates directly to your inbox, sign up to receive our Flash Reports here.
2024 Cyber and Data Security Program Checklist:
- Ensure you have customized policies and procedures to address your firm’s business practices and regulatory requirements, including but not limited to:
- Incident Response
- Disaster Recovery and Business Continuity
- Cyber and Data Security
- Vendor Management
- Access Management
- Remote Office Oversight
- Plan for an annual cybersecurity risk assessment
- Consider using this as a roadmap for assessing gaps and identifying areas of improvement.
- Establish a comprehensive testing program
- Evaluate whether the firm adheres to its key policies and procedures, including periodic review of patching reports, firewall reports, and network monitoring reports.
- Set dates for tabletop exercises to test the firm’s Incident Response Plan and Disaster Recovery and Business Continuity Plans.
- Hold Access Management reviews: Conduct an annual or semi-annual access review to evaluate user access rights and confirm access is limited to the scope necessary to accomplish the employee’s role.
- Maintain a vendor management program, including:
- Establish a review and approval process for new vendors;
- Conduct annual reviews on key vendors; and
- Review your key vendor list and determine if any changes are necessary.
- Conduct regular monitoring and testing
- Engage a third party to conduct an annual penetration test.
- Conduct periodic internal and external network scans. Firms should take a risk-based approach in determining frequency. Typically, firms increase the frequency of scans as their firm grows as the firm’s footprint and potential attack vectors increase.
- Establish or maintain an Employee Training Program to enable employees to spot the latest threats: Human action/inaction is the most common cause of breach, which is why training is critical.
- Create a custom training program to educate employees on your policies and procedures.
- Conduct regular mock phishing training. We recommend deploying mock phishing exercises at least monthly.
- Implement MFA on all accounts when possible
- Assess your firm’s cyber and data security needs and plan for the upcoming year
- Determine if you have internal expertise, or if external support is required to accomplish your goals.
- If external support is needed, start working on identifying new vendors. Demand for cyber vendors will likely increase once the SEC adopts the pending rules, so we recommend starting this process sooner rather than later.
Questions? We can help.
Fairview’s Cyber Solutions practice assists firms in building SEC cyber policies and data security programs, with documented testing reports to assess the firm’s protection of sensitive client and firm information. Contact us today if you need assistance.