The OCIE Cyber security Initiative scrutinizes a person's cyber security risk evaluation, threat detection, protective measures, and response plans to cyber attacks. There's more than one kind of inspection or examination a person could face from the OCIE: these include a standard examination assessing overall security practices and a close inspection of the firm following a particular problem.
If you're targeted by the OCIE, what are some ways to handle OCIE compliance?
- Know what they're looking for. This official document provides an initial list to work with, detailing the different kinds of information that the OCIE could request when they review your cyber-security practices. Keep in mind that while the list is a good foundation, it doesn't necessarily include everything you need in order to comply with their requirements.
- Understand your firm's specific risks. Even though the OCIE investigates cyber-security issues that are shared in common across firms, the OCIE will also look at risks that are particularly relevant to each firm. What are your areas of greatest risk when it comes to fraud or compromised sensitive data? Cyber security needs to be tailored to your firm and its specific practices and organization.
- Look beyond your immediate business environment. Security concerns can arise from third-party vendors and other businesses you collaborate with. The OCIE will expect you to account for those.
- Make sure your employees know what's going on. An important part of cyber security is your employees' understanding of their roles when it comes to evaluating cyber security risks, implementing preventative measures, and detecting and responding to threats. If your employees don't seem to know what's going on or are engaging in unsafe practices, this is potentially a major problem.
- Maintain documentation. You need to make sure your cyber-security plan and practices are well documented. Thorough documentation provides additional evidence that you're complying with SEC and OCIE standards. In addition to laying out a comprehensive cyber-security plan, you should maintain records of any cyber-security threats and the actions you took to prevent and respond to them (e.g., provide dates, employees involved, etc.).
- Confront the challenges. Some aspects of cyber security are especially difficult to implement. One example is the detection of suspicious or unauthorized activity on any company network. But these weaknesses will be a part of what the OCIE is looking for, so you can't avoid dealing with them. You need to come up with a plan for these cyber-security challenges, including working on reducing the amount of time it would take for you to notice strange activity in your system.
- Remain honest. Don't try to lie or cover up anything that might make your firm look bad. Chances are, the information will emerge anyway, leading to worse consequences for you. See these examinations as an opportunity to make your firm and its customers more secure from the severe losses that can result from a cyber attack.
- Consult with IT experts. IT consultants can thoroughly evaluate or audit your firm for risks and help you come up with powerful and cost-effective cyber-security solutions, so you'll be more likely to be in compliance with the OCIE.
Even minor violations found by OCIE officers could result in actions taken against your firm. Please contact us for our assistance in helping you to prepare for OCIE examinations and with to comply with strict cyber-security regulations.
Financial Services Technology Strategist