Cyber and Data Security Program Checklist

Enter your email below and one of our cyber experts will contact you with more information.

Cyber and Data Security Program Checklist

Whether you’re creating a compliance program for the first time or evaluating your current compliance program, it’s important to ensure that cyber and data security are critical components of your program. As regulatory requirements continue to change, as new technology becomes more widely used (such as artificial intelligence), and as online hackers become even more sophisticated, it is absolutely critical that your cyber and data security programs are up to date and meet industry best practices.

The checklist below outlines key components of a sound cyber and data security program and may be helpful as you evaluate your own program. Also be sure to monitor for the latest regulatory changes, such as the SEC’s proposed Outsourcing Rule, the SEC’s proposed Predictive Analytics Rule, and SEC’s proposed Cybersecurity Risk Management Rule.

Cyber and Data Security Program Checklist: 

  1. Ensure you have customized policies and procedures to address your firm’s business practices and regulatory requirements, including but not limited to:  
    • Incident Response
    • Disaster Recovery and Business Continuity
    • Cyber and Data Security
    • Vendor Management
    • Access Management
    • Remote Office Oversight
    • AI Policy
  1. Plan for an annual cybersecurity risk assessment 
    • Consider using this as a roadmap for assessing gaps and identifying areas of improvement.
  1. Establish a comprehensive testing program
    • Evaluate whether the firm adheres to its key policies and procedures, including periodic review of patching reports, firewall reports, and network monitoring reports.
    • Set dates for tabletop exercises to test the firm’s Incident Response Plan and Disaster Recovery and Business Continuity Plans.
    • Hold Access Management reviews: Conduct an annual or semi-annual access review to evaluate user access rights and confirm access is limited to the scope necessary to accomplish the employee’s role.
  1. Maintain a vendor management program, including:
    • Establish a review and approval process for new vendors;
    • Conduct annual reviews on key vendors; and
    • Review your key vendor list and determine if any changes are necessary.
  1. Update your compliance program to address AI
    • Update your policies and procedures to incorporate acceptable uses and prohibited uses of AI, predictive analytics, and related technologies.
    • Establish acceptable and prohibited uses.
    • Consider restricting access to only allow access to permitted AI platforms.
    • Set guidelines for employees. If possible, opt out of letting AI tools use any personal or firm data to feed the tool to train their AI models. Review outputs form AI tool for reasonableness prior to use or external publication.
    • Hold employee training to educate employees on best practice for using AI, including restrictions on uploading confidential information to large language models.
    • If you permit AI usage, conduct initial due diligence review of the AI tool and consider implementing a testing process to review outputs.
  1. Conduct regular monitoring and testing 
    • Engage a third party to conduct an annual penetration test.
    • Conduct periodic internal and external network scans. Firms should take a risk-based approach in determining frequency.  Typically, firms increase the frequency of scans as their firm grows as the firm’s footprint and potential attack vectors increase.
  1. Establish or maintain an Employee Training Program to enable employees to spot the latest threats: Human action/inaction is the most common cause of breach, which is why training is critical.
    • Create a custom training program to educate employees on your policies and procedures.
    • Conduct regular mock phishing training. We recommend deploying mock phishing exercises at least monthly.
  1. Implement MFA on all accounts when possible
    • Make sure you are using the most up-to-date forms of MFA. For guidance on the strongest forms of MFA, click here.
  1. Assess your firm’s cyber and data security needs and plan for the upcoming year
    • Determine if you have internal expertise, or if external support is required to accomplish your goals.
    • If external support is needed, start working on identifying new vendors. Demand for cyber vendors will likely increase once the SEC adopts the pending rules, so we recommend starting this process sooner rather than later.

Questions? We can help.

Fairview’s Cyber Solutions practice assists firms in building SEC cyber policies and data security programs, with documented testing reports to assess the firm’s protection of sensitive client and firm information.  Contact us today if you need assistance.