Cybersecurity: Tried and True Tactics for Assessing and Managing Risks, Employee Training and Program Testing Brian Rubin, Partner, Sutherland Tee Meeks,

Slides:



Advertisements
Similar presentations
How to Convert CPRs into AF Introductions The Hows and Whys.
Advertisements

Pamela Norris Project Manager Kraft Kennedy & Lesser, Inc.
Award Close-out Procedures-an overview Review award documents Complete Reconciliation Sheet Budget Reconciliation Expense Reconciliation Oracle Balances.
ELOC Bank Table Top Exercise Executive Leadership of Cybersecurity Austin, TX December 3,
Security and Personnel
Investment Adviser Compliance National Compliance Services, Inc.
Financial Planning. Agenda Start time: ____ Break time: ____ (10 minutes) End time: ____ Please set phones to silent ring and answer outside of the room.
1 Walk-in slide. 2 How to Manage a System Upgrade The Good, The Bad and The Ugly of Conversions David Cervelli Managing Consultant April 25, 2006.
WHAT ARE MY AUDITORS DOING?. Your Presenter Dianne Batistoni, CPA –EisnerAmper Insurance Group Audit Partner – Bridgewater, NJ – , ext
TERRORISM / POLITICAL VIOLENCE SOLUTIONS FAIR International Insurance Conference on "Political Violence" April 2010 – Karachi Daniel O’Connell
Internal Auditing and Outsourcing
Inspecting A Hedge Fund 2010 NASAA IA Training. Preparing for the Inspection  Getting over your fears  Treat as any other advisor  Preparation  Obtain.
1 6c: IA/PF - The Compliance Program and Modern Technology (Part 1 - Workshop) October 22, 2014 Mitch Kraskin - CEO, Compliance Science, Inc. Peter Mafteiu.
Best Practices for Graduate Supervision December 10, 2014 Your Role in Graduate Studies.
PLANNING FOR SUCCESS: IMPLEMENTING INFINITYHR. Katie Cuthriell Implementation Services Manager IntroductionPlanningDesigningBuilding Testing & Training.
Resume and Cover Letter Workshop You have 8 – 10 seconds to tell your “story”. So what are you going to say, and how? Career Services.
Being Audited – Life on the Other Side of the Fence.
CERTIFICATION In the Electronics Recycling Industry © 2007 IAER Web Site - -
Corporate Roundtable Discussion April 4, Ten Areas of Discussion Transfer Volume Policy Changes Made Recently Policy Changes Contemplated What Works.
What Keeps Your Board Up at Night? Sylvia Kerrigan, Exec. VP, General Counsel & Secretary – Marathon Oil Sean Gorman, Partner – Bracewell & Giuliani.
Balance Between Audit/Compliance and Risk Management – Best Practices FIRMA - 21 st National Training Conference David Bilko Chief Audit Executive SunTrust.
1 Executive Leadership of Cybersecurity Austin, TX December 3, 2014 ELOC Bank Table Top Exercise.
Improving your Audit Process Through Technology Christopher McDonald Director of Field Loss Prevention, Babies R’ Us Inc.
Legal Jeopardy: Whose Risk Is It?. SPEAKERS Jason Straight Chief Privacy Officer and Senior Vice President Cyber Risk Solutions at UnitedLex Patrick Manzo.
Microsoft Collaboration Survey Research Results Survey of Business and Technology Decision-Makers.
What is Travel Risk Management?
Supervision vs Management. What is… Supervision A developmental process designed to support and enhance an individual’s acquisition of the motivation,
Trade Compliance Considerations April 13, © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network.
May 5, 2016 May 5, Reporting obligations for  Investment banks,  Stockbrokers and dealers  FM and Investment advisers 2. Publication financial.
Primary Steps for Achieving ISO Certification.
DOL Fiduciary Rule: Answering Advisors' Top Questions Jason Berkowitz Vice President and Counsel, Regulatory Affairs September 7, 2016.
Incorporate? EIN? Federal Income Tax Umbrella? HELP!!!!
Select Questions to ask your HIPAA Privacy Officer
Presented by Rotary International Risk Management Department
AUDITING Elysa Hartati.
Law Firm Data Security: What In-house Counsel Need to Know
CPA Gilberto Rivera, VP Compliance and Operational Risk
NYSICA 2016Membership survey
Let Auditing Be Your Superpower
INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Presented by Rotary International Risk Management Department
Generating Referrals through Centers of Influence
Presented by Rotary International Risk Management Department
Introduction to the Federal Defense Acquisition Regulation
F5 PRO ASSETS We’ve created these Pro Assets to help you communicate the ideas in this article to your team. Feel free to remove these intro pages, and.
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
The webinar will begin shortly
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
CYB 100 Teaching Effectively-- snaptutorial.com
I have many checklists: how do I get started with cyber security?
CrossXing Revised 6/30/16 HCB00480.
PRI Registrar Quarterly Auditor Training
Carrier panel discussion March 2018
Cyber Security: The Risk to Associations Today’s Speakers:
The Contract Transfer Process and Rollover Procedure for
Abby Cowart, Executive Director, SSA
Preparing for an Audit Western Region Gas Conference Robert E. Miller
By Joseph Carnevale, CIP Partner & Director of Sales
Cybersecurity: Tried and True Tactics for Assessing and Managing Risks, Employee Training and Program Testing Brian Rubin, Partner, Sutherland Tee Meeks,
U.S. CLUB AND DISTRICT LIABILITY INSURANCE PROGRAM
Cybersecurity: Tried and True Tactics for Assessing and Managing Risks, Employee Training and Program Testing Brian Rubin, Partner, Sutherland Tee Meeks,
WHAT TO EXPECT: A CROWN CORPORATION’S GUIDE TO A SPECIAL EXAMINATION
Southern Association of Colleges and Schools Commission on Colleges
Cybersecurity: Tried and True Tactics for Assessing and Managing Risks, Employee Training and Program Testing Brian Rubin, Partner, Sutherland Tee Meeks,
Presented by Rotary International Risk Management Department
SELECTIVE FORESEE THE FUTURE WITH.
DFS letter has you asking
New Student Orientation
New Student Orientation
DSC Contract Management Committee Meeting
Presentation transcript:

Cybersecurity: Tried and True Tactics for Assessing and Managing Risks, Employee Training and Program Testing Brian Rubin, Partner, Sutherland Tee Meeks, CCO/CAO, Waddell & Assocs., Inc. David Edwards, President, Heron Financial Group Wealth Advisors Craig Watanabe, Sr. Compliance Consultant, Advisor Solutions Group, Inc.

Waddell & Associates, Inc. Employee owned RIA firm based in Memphis with a branch in Nashville $770M AUM 23 full time employees Compliance Department = ME + compliance consulting firm No dedicated Technology Department – outsourced to a local tech firm April 15, 2014 - OCIE CYBERSECURITY INITIATIVE A sample cybersecurity document request letter was provided in the appendix of the alert. The letter I received was almost word-for-word the same as the sample request document in the alert The Exam Thorough! >29 questions - most with multiple sub-sections: requiring 78 separate responses and multiple document requests (P&P, Business Continuity Plan, written information security policy, etc..). >2 weeks to respond and provide the requested supporting documents. Don’t wait until the last minute to submit your response: Required to submit via secure portal - ZixCorp secure email which had issues even their own tech support person couldn’t resolve quickly.

I am not a “techie”? How do I answer these questions? Create a team! Meet the W&A team - Compliance officer (me) + Compliance consultant – Ascendant + IT consultant Suggestion: also get your CEO and/or other executives involved in this process. Not because they will be helpful, but they need to be aware of the magnitude of what is involved with the security of your systems and the compliance that is involved. Each question was reviewed, discussed and answered by the most qualified person on the “team” Some questions were more tech focused: Protection against DDoS attacks Process for removal, transfer & disposition of IT assets Others were more compliance focused: Does your Business Continuity plan address cybersecurity incidents? Do you provide guidance/risk training ? ! Within a couple of weeks of submission I received a call to schedule a follow up call to discuss my answers in more detail. I asked if the other members of my “team” could participate on the call. Suggestion: If you choose to include your IT expert, be sure to advise them on how to interact with the auditors. They should answer the questions directly and not provide more information than is required. IT people LOVE to talk about what they know! The follow up call was very interactive. Provided a lot of clarity for both us and the examiners.

Words of Wisdom In our third and final “wrap up” call, the examiners made a few suggestions: 1) They don’t expect CCO’s to be technology experts but they do expect them to be knowledgeable enough about their firm’s technology to understand and mitigate the risks. I mentioned our IT consultant was drafting a Standard Operating Procedure (SOP) manual for us. NOTE: As a result of a recent loss of data on one of our servers, we have learned FIRST HAND just HOW important this is. GET OUTSIDE, UNINTERESTED PARTY ADVICE if necessary! 2) Employee training and client education is extremely important Be sure to document your training 3) Consider purchasing a cybersecurity insurance policy

W&A Best Practices Created an IT risk team. Consists of one or more people from: Compliance Management (for budget purposes) IT (department or outside solution) Use “The letter” as an ONGOING Audit of our technology risks Our IT risk team meets periodically Questions in the audit letter are reviewed again and we discuss changes/updates. Make sure your IT expert(s) can answer EVERY question confidently. (Caution: you may not understand a word your tech person is saying. Hang in there. You will be surprised what you will eventually learn) Purchase Cyber Liability Insurance Get your IT person involved with this process too. They know what kind of coverage best fits your company’s needs. Get multiple quotes – they VARY! Some applications are VERY detailed. Share EVERYTHING tech related with our IT department/consultant Policies and procedures Cyber Liability policy Industry articles IT department/consultant drafting a SOP manual EDUCATE our employees AND our clients. We have frequent conversations about potential risks. Remember: you are responsible for understanding and mitigating the risks!