SlideShare a Scribd company logo

No Simple Exercise

Duff & Phelps
Duff & Phelps

Risk, not rules, must determine firms' cyber security requirements

Business
1 of 2
Download to read offline
No Simple Exercise Risk, not rules, must determine firms’ cybersecurity requirements. Author Adam Menkes Director Credit Suisse The SEC’s decision to issue guidance rather than specific requirements around cybersecurity has led to some uncertainty among registered investment advisors (RIAs) over how to implement certain aspects of their cybersecurity programs. 1 https://www.sec.gov/investment/im-guidance-2016-04.pdf 2 https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf 3 https://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix---4.15.14.pdf 4 http://www.finra.org/newsroom/2015/finra-issues-report-cybersecurity-practices-cybersecurity-investor-alert Without a clear statement of their expected obligations, many RIAs report that it has been difficult to determine if they have done enough to satisfy the SEC and investors alike. That said, the majority of firms have formed a strong base and continue to focus on improvements, as the threat landscape continues to evolve. Over time, the SEC and other regulators have issued substantial guidance on their key areas of focus, and RIAs have realised that taking action based on that guidance rather than waiting for specified regulations is the right approach. In April 2015,1 the SEC suggested investment companies and advisors “may wish to consider”, among other things, risk assessments, a cybersecurity strategy, and written policies and procedures as well as training. The Office of Compliance Inspections and Examinations (OCIE) initiative in September of that year outlined broker- dealers’ and investment advisors’ controls.2 In addition to the OCIE,3 regulatory bodies such as Financial Industry Regulatory Authority (FINRA)4 have provided additional guidelines for managers to look to. While following these other requirements may hold managers to a higher standard than is outlined by the OCIE, there is little indication to date to suggest that the SEC’s expectations are lower. Historically, the SEC and FINRA have been quick with enforcement action where their guidelines have been egregiously ignored. The number of cases brought by these two regulators on the basis of cybersecurity failings (at least in part) is already in the double digits. To each their own Set in this context, the SEC’s lack of specificity gives it the flexibility to evaluate each RIA’s adherence to the guidelines independently. The areas where the regulator will spend its time are increasingly clear; encryption, data retention limits, risk assessments, information security policies, documentation, incident response plans and workforce training are all fair game. It seems that there is to be, for now, no definitive or official list of requirements that RIAs can simply check off to claim compliance. In firms where the SEC sees the higher potential risk, it has left itself room to demand greater measures to protect against cyber threats, and lesser measures for threats that pose a lower risk. 22 DUFF & PHELPS – GRO VIEWPOINT 2017
This is not necessarily a bad thing. While RIAs may have less certainty about cyber compliance, they also have an opportunity to look at cybersecurity holistically and pragmatically. This should prompt them to consider not just the regulatory requirements, but also their own cybersecurity risks. The SEC is rightly focused on investor protection and market integrity. Firms’ intellectual property or client lists (from a competitive, rather than privacy, standpoint) are not really its concern. Meeting the SEC standards will not necessarily protect a firm’s algorithms, nor retain its customers when a trader leaves. Cybersecurity must go further than minimal compliance satisfaction. To an extent, the SEC’s flexibility means that it will continue to determine whether RIAs’ cybersecurity controls are adequate on a case-by-case basis, and RIAs likely should be taking the same approach. GIVEN THE MAGNITUDE OF RECENT CYBER BREACHES, OUR COMPANY PLANS TO FOCUS MORE RESOURCES AND TIME ON CYBERSECURITY. WHERE DO YOU EXPECT REGULATORS TO FOCUS IN 2017? 59.6%Agree 9.6%Unsure 3.2%Disagree 1.1%Strongly disagree Strongly agree 26.3% Focus Area Answer Options Accounting fraud AML/KYC and financial crime issues Asset misap- propriation Benchmark and FX manipulation Bribery and corruption Client suitability/ misselling Cyber- security Fee and expense allocation Firmwide culture of compliance High- frequency, dark pools, algo and electronic trading Liquidity manage- ment Marketing practices to investors/ customers Misstating/ misreporting asset values Proper disclosure for investors Valuation Don’t know Response Count Priority 1 1 34 2 2 5 7 48 16 9 2 8 6 0 10 4 3 157 Priority 2 2 17 0 2 4 11 35 19 14 11 7 14 3 9 6 2 156 Priority 3 5 11 3 4 12 7 21 7 22 7 5 17 3 18 6 4 152 DUFF & PHELPS – GRO VIEWPOINT 2017 23

Recommended

Having an Impact - Senior Manager Regimes in the UK and Elsewhere
Having an Impact - Senior Manager Regimes in the UK and ElsewhereHaving an Impact - Senior Manager Regimes in the UK and Elsewhere
Having an Impact - Senior Manager Regimes in the UK and ElsewhereDuff & Phelps
 
Cyber Insurance - What you need to know
Cyber Insurance - What you need to knowCyber Insurance - What you need to know
Cyber Insurance - What you need to knowFitCEO, Inc. (FCI)
 
Langes directorsupdate magpi_september13
Langes directorsupdate magpi_september13 Langes directorsupdate magpi_september13
Langes directorsupdate magpi_september13 davidjac
 
WSJ(R+C)-IT
WSJ(R+C)-ITWSJ(R+C)-IT
WSJ(R+C)-ITKeith Darcy
 
Veta compliance operations review
Veta compliance operations reviewVeta compliance operations review
Veta compliance operations reviewMark Taylor
 
Compliance & data security – the way we work
Compliance & data security – the way we workCompliance & data security – the way we work
Compliance & data security – the way we workPuneet Chopra
 
ACFE 2017: Audit and Fraud Joining Forces
ACFE 2017: Audit and Fraud Joining Forces ACFE 2017: Audit and Fraud Joining Forces
ACFE 2017: Audit and Fraud Joining Forces Jen Dunham, CFE
 
Hedge fund operational_due_diligence_corgentum_insights_regulatory_burden_
Hedge fund operational_due_diligence_corgentum_insights_regulatory_burden_Hedge fund operational_due_diligence_corgentum_insights_regulatory_burden_
Hedge fund operational_due_diligence_corgentum_insights_regulatory_burden_Corgetum Consulting (http://www.Corgentum.com)
 

Recommended

Having an Impact - Senior Manager Regimes in the UK and Elsewhere
Having an Impact - Senior Manager Regimes in the UK and ElsewhereHaving an Impact - Senior Manager Regimes in the UK and Elsewhere
Having an Impact - Senior Manager Regimes in the UK and ElsewhereDuff & Phelps
 
Cyber Insurance - What you need to know
Cyber Insurance - What you need to knowCyber Insurance - What you need to know
Cyber Insurance - What you need to knowFitCEO, Inc. (FCI)
 
Langes directorsupdate magpi_september13
Langes directorsupdate magpi_september13 Langes directorsupdate magpi_september13
Langes directorsupdate magpi_september13 davidjac
 
WSJ(R+C)-IT
WSJ(R+C)-ITWSJ(R+C)-IT
WSJ(R+C)-ITKeith Darcy
 
Veta compliance operations review
Veta compliance operations reviewVeta compliance operations review
Veta compliance operations reviewMark Taylor
 
Compliance & data security – the way we work
Compliance & data security – the way we workCompliance & data security – the way we work
Compliance & data security – the way we workPuneet Chopra
 
ACFE 2017: Audit and Fraud Joining Forces
ACFE 2017: Audit and Fraud Joining Forces ACFE 2017: Audit and Fraud Joining Forces
ACFE 2017: Audit and Fraud Joining Forces Jen Dunham, CFE
 
Hedge fund operational_due_diligence_corgentum_insights_regulatory_burden_
Hedge fund operational_due_diligence_corgentum_insights_regulatory_burden_Hedge fund operational_due_diligence_corgentum_insights_regulatory_burden_
Hedge fund operational_due_diligence_corgentum_insights_regulatory_burden_Corgetum Consulting (http://www.Corgentum.com)
 
ACFE 2017 - Audit and Fraud Joining Forces
ACFE 2017 - Audit and Fraud Joining ForcesACFE 2017 - Audit and Fraud Joining Forces
ACFE 2017 - Audit and Fraud Joining ForcesJen Dunham, CFE
 
DOL Fiduciary Rule Infographic
DOL Fiduciary Rule InfographicDOL Fiduciary Rule Infographic
DOL Fiduciary Rule InfographicEAI Information Systems
 
EY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pagesEY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pagesMatthew Whalley
 
SecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportSecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportAlex Himmelberg
 
2016 Finance industry cybersecurity report
2016 Finance industry cybersecurity report2016 Finance industry cybersecurity report
2016 Finance industry cybersecurity reportOwen Bartolome
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016FitCEO, Inc. (FCI)
 
New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...NationalUnderwriter
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119FitCEO, Inc. (FCI)
 
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...EC-Council
 
Stratifi technologies
Stratifi technologiesStratifi technologies
Stratifi technologiesstratifi
 
SGF2016 12641 - Moving from Prediction to Decision
SGF2016 12641 - Moving from Prediction to DecisionSGF2016 12641 - Moving from Prediction to Decision
SGF2016 12641 - Moving from Prediction to DecisionCarl Case
 
ALN Risk Management Survey at ILTACON 2016
ALN Risk Management Survey at ILTACON 2016ALN Risk Management Survey at ILTACON 2016
ALN Risk Management Survey at ILTACON 2016Erez Bustan
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106Ted Richmond
 
Establishing an Organization Wide Fraud Policy
Establishing an Organization Wide Fraud PolicyEstablishing an Organization Wide Fraud Policy
Establishing an Organization Wide Fraud PolicyFraudBusters
 
Seal datasheet | trading derivative
Seal datasheet | trading derivativeSeal datasheet | trading derivative
Seal datasheet | trading derivativesealsoftwaredept
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
The 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident ResponseThe 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident ResponseElizabeth Dimit
 
Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016John T. Araneo
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 

More Related Content

What's hot

ACFE 2017 - Audit and Fraud Joining Forces
ACFE 2017 - Audit and Fraud Joining ForcesACFE 2017 - Audit and Fraud Joining Forces
ACFE 2017 - Audit and Fraud Joining ForcesJen Dunham, CFE
 
EY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pagesEY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pagesMatthew Whalley
 
SecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportSecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportAlex Himmelberg
 
2016 Finance industry cybersecurity report
2016 Finance industry cybersecurity report2016 Finance industry cybersecurity report
2016 Finance industry cybersecurity reportOwen Bartolome
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016FitCEO, Inc. (FCI)
 
New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...NationalUnderwriter
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119FitCEO, Inc. (FCI)
 
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...EC-Council
 
Stratifi technologies
Stratifi technologiesStratifi technologies
Stratifi technologiesstratifi
 
SGF2016 12641 - Moving from Prediction to Decision
SGF2016 12641 - Moving from Prediction to DecisionSGF2016 12641 - Moving from Prediction to Decision
SGF2016 12641 - Moving from Prediction to DecisionCarl Case
 
ALN Risk Management Survey at ILTACON 2016
ALN Risk Management Survey at ILTACON 2016ALN Risk Management Survey at ILTACON 2016
ALN Risk Management Survey at ILTACON 2016Erez Bustan
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106Ted Richmond
 
Establishing an Organization Wide Fraud Policy
Establishing an Organization Wide Fraud PolicyEstablishing an Organization Wide Fraud Policy
Establishing an Organization Wide Fraud PolicyFraudBusters
 
Seal datasheet | trading derivative
Seal datasheet | trading derivativeSeal datasheet | trading derivative
Seal datasheet | trading derivativesealsoftwaredept
 

What's hot (15)

ACFE 2017 - Audit and Fraud Joining Forces
ACFE 2017 - Audit and Fraud Joining ForcesACFE 2017 - Audit and Fraud Joining Forces
ACFE 2017 - Audit and Fraud Joining Forces
 
DOL Fiduciary Rule Infographic
DOL Fiduciary Rule InfographicDOL Fiduciary Rule Infographic
DOL Fiduciary Rule Infographic
 
EY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pagesEY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pages
 
SecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportSecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_Report
 
2016 Finance industry cybersecurity report
2016 Finance industry cybersecurity report2016 Finance industry cybersecurity report
2016 Finance industry cybersecurity report
 
Cyber security audits and risk management 2016
Cyber security audits and risk management 2016Cyber security audits and risk management 2016
Cyber security audits and risk management 2016
 
New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...
 
Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119Cyber Security Audits and Risk Management 20160119
Cyber Security Audits and Risk Management 20160119
 
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
 
Stratifi technologies
Stratifi technologiesStratifi technologies
Stratifi technologies
 
SGF2016 12641 - Moving from Prediction to Decision
SGF2016 12641 - Moving from Prediction to DecisionSGF2016 12641 - Moving from Prediction to Decision
SGF2016 12641 - Moving from Prediction to Decision
 
ALN Risk Management Survey at ILTACON 2016
ALN Risk Management Survey at ILTACON 2016ALN Risk Management Survey at ILTACON 2016
ALN Risk Management Survey at ILTACON 2016
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
 
Establishing an Organization Wide Fraud Policy
Establishing an Organization Wide Fraud PolicyEstablishing an Organization Wide Fraud Policy
Establishing an Organization Wide Fraud Policy
 
Seal datasheet | trading derivative
Seal datasheet | trading derivativeSeal datasheet | trading derivative
Seal datasheet | trading derivative
 

Similar to No Simple Exercise

Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
The 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident ResponseThe 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident ResponseElizabeth Dimit
 
Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016John T. Araneo
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Niren Thanky
 
Verizon rp pci report-2015-en_xg
Verizon rp pci report-2015-en_xgVerizon rp pci report-2015-en_xg
Verizon rp pci report-2015-en_xgCMR WORLD TECH
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
Cayman Compliant Series - AML Requirements for VASPs
Cayman Compliant Series - AML Requirements for VASPsCayman Compliant Series - AML Requirements for VASPs
Cayman Compliant Series - AML Requirements for VASPsRamona Tudorancea
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Happiest Minds Technologies
 
Where Is Your Sensitive Data Wp
Where Is Your Sensitive Data WpWhere Is Your Sensitive Data Wp
Where Is Your Sensitive Data Wptbeckwith
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliantDivya Kothari
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolioKaloyan Krastev
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS SlidecastRobertXia
 

Similar to No Simple Exercise (20)

Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance report
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
The 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident ResponseThe 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident Response
 
Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016Cyber_Security_Action_Plan_2016
Cyber_Security_Action_Plan_2016
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
 
HEMISPHERE SMB Case Study
HEMISPHERE SMB Case StudyHEMISPHERE SMB Case Study
HEMISPHERE SMB Case Study
 
PCI COMPLIANCE REPORT
PCI COMPLIANCE REPORTPCI COMPLIANCE REPORT
PCI COMPLIANCE REPORT
 
Verizon rp pci report-2015-en_xg
Verizon rp pci report-2015-en_xgVerizon rp pci report-2015-en_xg
Verizon rp pci report-2015-en_xg
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
 
Cayman Compliant Series - AML Requirements for VASPs
Cayman Compliant Series - AML Requirements for VASPsCayman Compliant Series - AML Requirements for VASPs
Cayman Compliant Series - AML Requirements for VASPs
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
 
Where Is Your Sensitive Data Wp
Where Is Your Sensitive Data WpWhere Is Your Sensitive Data Wp
Where Is Your Sensitive Data Wp
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
 
Cyber Defence - Service portfolio
Cyber Defence - Service portfolioCyber Defence - Service portfolio
Cyber Defence - Service portfolio
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
 

More from Duff & Phelps

Hospitalist M&A Landscape – Winter 2018 – 2019
Hospitalist M&A Landscape – Winter 2018 – 2019Hospitalist M&A Landscape – Winter 2018 – 2019
Hospitalist M&A Landscape – Winter 2018 – 2019Duff & Phelps
 
Food and Beverage M&A Landscape Late Fall 2018
Food and Beverage M&A Landscape Late Fall 2018Food and Beverage M&A Landscape Late Fall 2018
Food and Beverage M&A Landscape Late Fall 2018Duff & Phelps
 
Healthcare Services Sector Update – November 2018
Healthcare Services Sector Update – November 2018Healthcare Services Sector Update – November 2018
Healthcare Services Sector Update – November 2018Duff & Phelps
 
Capital Markets Insights – Late Fall 2018
Capital Markets Insights – Late Fall 2018Capital Markets Insights – Late Fall 2018
Capital Markets Insights – Late Fall 2018Duff & Phelps
 
Regulatory Watch: Asset Management Q3
Regulatory Watch: Asset Management Q3Regulatory Watch: Asset Management Q3
Regulatory Watch: Asset Management Q3Duff & Phelps
 
Industry Multiples India Report: Fifth Edition
Industry Multiples India Report: Fifth Edition Industry Multiples India Report: Fifth Edition
Industry Multiples India Report: Fifth Edition Duff & Phelps
 
Restaurant Quarterly Update - Fall 2018
Restaurant Quarterly Update - Fall 2018Restaurant Quarterly Update - Fall 2018
Restaurant Quarterly Update - Fall 2018Duff & Phelps
 
LEED Market Study - Nov 2018
LEED Market Study - Nov 2018LEED Market Study - Nov 2018
LEED Market Study - Nov 2018Duff & Phelps
 
Healthcare Services Sector Update – October 2018
Healthcare Services Sector Update – October 2018Healthcare Services Sector Update – October 2018
Healthcare Services Sector Update – October 2018Duff & Phelps
 
IP Value Summit 2018 - Agenda
IP Value Summit 2018 - Agenda IP Value Summit 2018 - Agenda
IP Value Summit 2018 - AgendaDuff & Phelps
 
Regulatory Focus October 2018
Regulatory Focus October 2018Regulatory Focus October 2018
Regulatory Focus October 2018Duff & Phelps
 
Staffing Industry Insights - Fall 2018
Staffing Industry Insights - Fall 2018Staffing Industry Insights - Fall 2018
Staffing Industry Insights - Fall 2018Duff & Phelps
 
Medical Device Contract Manufacturing Update – Fall 2018
Medical Device Contract Manufacturing Update – Fall 2018Medical Device Contract Manufacturing Update – Fall 2018
Medical Device Contract Manufacturing Update – Fall 2018Duff & Phelps
 
Duff & Phelps Valuation Insights Greater China Edition October 2018
Duff & Phelps Valuation Insights Greater China Edition October 2018Duff & Phelps Valuation Insights Greater China Edition October 2018
Duff & Phelps Valuation Insights Greater China Edition October 2018Duff & Phelps
 
Canadian M&A Insights Fall 2018
Canadian M&A Insights Fall 2018Canadian M&A Insights Fall 2018
Canadian M&A Insights Fall 2018Duff & Phelps
 
Healthcare Services Sector Update September 2018
Healthcare Services Sector Update September 2018Healthcare Services Sector Update September 2018
Healthcare Services Sector Update September 2018Duff & Phelps
 
Cost Trend Update Bulletin July-2018
Cost Trend Update Bulletin July-2018Cost Trend Update Bulletin July-2018
Cost Trend Update Bulletin July-2018Duff & Phelps
 
Regulatory Focus September 2018
Regulatory Focus September 2018Regulatory Focus September 2018
Regulatory Focus September 2018Duff & Phelps
 
Hedge Fund and Private Equity Fund - Structures, Regulation and Criminal Risks
Hedge Fund and Private Equity Fund - Structures, Regulation and Criminal RisksHedge Fund and Private Equity Fund - Structures, Regulation and Criminal Risks
Hedge Fund and Private Equity Fund - Structures, Regulation and Criminal RisksDuff & Phelps
 
Food and Beverage M&A Landscape - Summer 2018
Food and Beverage M&A Landscape - Summer 2018Food and Beverage M&A Landscape - Summer 2018
Food and Beverage M&A Landscape - Summer 2018Duff & Phelps
 

More from Duff & Phelps (20)

Hospitalist M&A Landscape – Winter 2018 – 2019
Hospitalist M&A Landscape – Winter 2018 – 2019Hospitalist M&A Landscape – Winter 2018 – 2019
Hospitalist M&A Landscape – Winter 2018 – 2019
 
Food and Beverage M&A Landscape Late Fall 2018
Food and Beverage M&A Landscape Late Fall 2018Food and Beverage M&A Landscape Late Fall 2018
Food and Beverage M&A Landscape Late Fall 2018
 
Healthcare Services Sector Update – November 2018
Healthcare Services Sector Update – November 2018Healthcare Services Sector Update – November 2018
Healthcare Services Sector Update – November 2018
 
Capital Markets Insights – Late Fall 2018
Capital Markets Insights – Late Fall 2018Capital Markets Insights – Late Fall 2018
Capital Markets Insights – Late Fall 2018
 
Regulatory Watch: Asset Management Q3
Regulatory Watch: Asset Management Q3Regulatory Watch: Asset Management Q3
Regulatory Watch: Asset Management Q3
 
Industry Multiples India Report: Fifth Edition
Industry Multiples India Report: Fifth Edition Industry Multiples India Report: Fifth Edition
Industry Multiples India Report: Fifth Edition
 
Restaurant Quarterly Update - Fall 2018
Restaurant Quarterly Update - Fall 2018Restaurant Quarterly Update - Fall 2018
Restaurant Quarterly Update - Fall 2018
 
LEED Market Study - Nov 2018
LEED Market Study - Nov 2018LEED Market Study - Nov 2018
LEED Market Study - Nov 2018
 
Healthcare Services Sector Update – October 2018
Healthcare Services Sector Update – October 2018Healthcare Services Sector Update – October 2018
Healthcare Services Sector Update – October 2018
 
IP Value Summit 2018 - Agenda
IP Value Summit 2018 - Agenda IP Value Summit 2018 - Agenda
IP Value Summit 2018 - Agenda
 
Regulatory Focus October 2018
Regulatory Focus October 2018Regulatory Focus October 2018
Regulatory Focus October 2018
 
Staffing Industry Insights - Fall 2018
Staffing Industry Insights - Fall 2018Staffing Industry Insights - Fall 2018
Staffing Industry Insights - Fall 2018
 
Medical Device Contract Manufacturing Update – Fall 2018
Medical Device Contract Manufacturing Update – Fall 2018Medical Device Contract Manufacturing Update – Fall 2018
Medical Device Contract Manufacturing Update – Fall 2018
 
Duff & Phelps Valuation Insights Greater China Edition October 2018
Duff & Phelps Valuation Insights Greater China Edition October 2018Duff & Phelps Valuation Insights Greater China Edition October 2018
Duff & Phelps Valuation Insights Greater China Edition October 2018
 
Canadian M&A Insights Fall 2018
Canadian M&A Insights Fall 2018Canadian M&A Insights Fall 2018
Canadian M&A Insights Fall 2018
 
Healthcare Services Sector Update September 2018
Healthcare Services Sector Update September 2018Healthcare Services Sector Update September 2018
Healthcare Services Sector Update September 2018
 
Cost Trend Update Bulletin July-2018
Cost Trend Update Bulletin July-2018Cost Trend Update Bulletin July-2018
Cost Trend Update Bulletin July-2018
 
Regulatory Focus September 2018
Regulatory Focus September 2018Regulatory Focus September 2018
Regulatory Focus September 2018
 
Hedge Fund and Private Equity Fund - Structures, Regulation and Criminal Risks
Hedge Fund and Private Equity Fund - Structures, Regulation and Criminal RisksHedge Fund and Private Equity Fund - Structures, Regulation and Criminal Risks
Hedge Fund and Private Equity Fund - Structures, Regulation and Criminal Risks
 
Food and Beverage M&A Landscape - Summer 2018
Food and Beverage M&A Landscape - Summer 2018Food and Beverage M&A Landscape - Summer 2018
Food and Beverage M&A Landscape - Summer 2018
 

Recently uploaded

NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCRashishs7044
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMintel Group
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environmentelijahj01012
 
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxFinancial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxsaniyaimamuddin
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationAnamaria Contreras
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCRashishs7044
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 

Recently uploaded (20)

NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
8447779800, Low rate Call girls in Uttam Nagar Delhi NCR
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
 
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCREnjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 Edition
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 
Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environment
 
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptxFinancial-Statement-Analysis-of-Coca-cola-Company.pptx
Financial-Statement-Analysis-of-Coca-cola-Company.pptx
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement Presentation
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
 

No Simple Exercise

  • 1. No Simple Exercise Risk, not rules, must determine firms’ cybersecurity requirements. Author Adam Menkes Director Credit Suisse The SEC’s decision to issue guidance rather than specific requirements around cybersecurity has led to some uncertainty among registered investment advisors (RIAs) over how to implement certain aspects of their cybersecurity programs. 1 https://www.sec.gov/investment/im-guidance-2016-04.pdf 2 https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf 3 https://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix---4.15.14.pdf 4 http://www.finra.org/newsroom/2015/finra-issues-report-cybersecurity-practices-cybersecurity-investor-alert Without a clear statement of their expected obligations, many RIAs report that it has been difficult to determine if they have done enough to satisfy the SEC and investors alike. That said, the majority of firms have formed a strong base and continue to focus on improvements, as the threat landscape continues to evolve. Over time, the SEC and other regulators have issued substantial guidance on their key areas of focus, and RIAs have realised that taking action based on that guidance rather than waiting for specified regulations is the right approach. In April 2015,1 the SEC suggested investment companies and advisors “may wish to consider”, among other things, risk assessments, a cybersecurity strategy, and written policies and procedures as well as training. The Office of Compliance Inspections and Examinations (OCIE) initiative in September of that year outlined broker- dealers’ and investment advisors’ controls.2 In addition to the OCIE,3 regulatory bodies such as Financial Industry Regulatory Authority (FINRA)4 have provided additional guidelines for managers to look to. While following these other requirements may hold managers to a higher standard than is outlined by the OCIE, there is little indication to date to suggest that the SEC’s expectations are lower. Historically, the SEC and FINRA have been quick with enforcement action where their guidelines have been egregiously ignored. The number of cases brought by these two regulators on the basis of cybersecurity failings (at least in part) is already in the double digits. To each their own Set in this context, the SEC’s lack of specificity gives it the flexibility to evaluate each RIA’s adherence to the guidelines independently. The areas where the regulator will spend its time are increasingly clear; encryption, data retention limits, risk assessments, information security policies, documentation, incident response plans and workforce training are all fair game. It seems that there is to be, for now, no definitive or official list of requirements that RIAs can simply check off to claim compliance. In firms where the SEC sees the higher potential risk, it has left itself room to demand greater measures to protect against cyber threats, and lesser measures for threats that pose a lower risk. 22 DUFF & PHELPS – GRO VIEWPOINT 2017
  • 2. This is not necessarily a bad thing. While RIAs may have less certainty about cyber compliance, they also have an opportunity to look at cybersecurity holistically and pragmatically. This should prompt them to consider not just the regulatory requirements, but also their own cybersecurity risks. The SEC is rightly focused on investor protection and market integrity. Firms’ intellectual property or client lists (from a competitive, rather than privacy, standpoint) are not really its concern. Meeting the SEC standards will not necessarily protect a firm’s algorithms, nor retain its customers when a trader leaves. Cybersecurity must go further than minimal compliance satisfaction. To an extent, the SEC’s flexibility means that it will continue to determine whether RIAs’ cybersecurity controls are adequate on a case-by-case basis, and RIAs likely should be taking the same approach. GIVEN THE MAGNITUDE OF RECENT CYBER BREACHES, OUR COMPANY PLANS TO FOCUS MORE RESOURCES AND TIME ON CYBERSECURITY. WHERE DO YOU EXPECT REGULATORS TO FOCUS IN 2017? 59.6%Agree 9.6%Unsure 3.2%Disagree 1.1%Strongly disagree Strongly agree 26.3% Focus Area Answer Options Accounting fraud AML/KYC and financial crime issues Asset misap- propriation Benchmark and FX manipulation Bribery and corruption Client suitability/ misselling Cyber- security Fee and expense allocation Firmwide culture of compliance High- frequency, dark pools, algo and electronic trading Liquidity manage- ment Marketing practices to investors/ customers Misstating/ misreporting asset values Proper disclosure for investors Valuation Don’t know Response Count Priority 1 1 34 2 2 5 7 48 16 9 2 8 6 0 10 4 3 157 Priority 2 2 17 0 2 4 11 35 19 14 11 7 14 3 9 6 2 156 Priority 3 5 11 3 4 12 7 21 7 22 7 5 17 3 18 6 4 152 DUFF & PHELPS – GRO VIEWPOINT 2017 23