What Am I Looking At? Making Sense of Your Cyber Testing Reports

It’s no surprise that Compliance and IT do not speak the same language. Compliance staff often speak in terms of regulations and policies, whereas bits and bytes are the language of IT staff.

This distinction is clear when it comes to cybersecurity risk management, as the compliance and IT audiences are looking for different takeaways when reviewing cybersecurity testing reports, according to E.J. Yerzak, Director of Cyber IT Services at CSS, and Korrine Kohm, Director of Retail Wealth Manager Services at CSS, who presented on the topic at the CSS/Ascendant compliance conference in San Diego in coordination with Martin Voelk, Chief Hacking Officer of GigIT, Inc.

Their session, “The Threat is Real – Understanding Your Cyber Testing Reports,” explained various types of cybersecurity testing that many investment advisers are retaining firms to conduct, from phishing testing to vulnerability scanning to various types of penetration testing (network, web application, and Wi-Fi), as well as the difference between each testing approach. And since all cyber testing is essentially designed to assess cyber risk, the speakers discussed industry standard vulnerability frameworks such as the Common Vulnerability Scoring System (CVSS) ranking scale and the use of CVE Identifiers to uniquely identify a specific vulnerability.

Given the numerous agency regulations that now require or strongly recommend periodic cybersecurity testing and set forth specific frequencies for such testing, it is now more important than ever that compliance and IT get on the same page when it comes to understanding their firm’s cyber risk exposure, and what is being done to address those risks. Compliance need not become an IT person, but can certainly benefit from developing a good working knowledge of, and obtaining more comfort with, the different types of cyber testing, the various parts of a cyber report, and how much risk a particular vulnerability presents to the firm.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

Report on Operation of AIFMD Highlights Existing Issues

On 10 January 2019, the European Commission (EC) published a report on the operation of the Alternative Investment Fund Managers Directive (AIFMD). The report confirms that AIFMD has significantly contributed to creating a single market for alternative investment funds by establishing a harmonized regulatory and supervisory framework. However, it also identifies various topics that will … Continued

SEC’s Latest Risk Alert Focuses on Electronic Communications

The SEC’s most recent risk alert, “Observations from Investment Adviser Examinations Relating to Electronic Messaging,” issued on December 14, 2019, focuses on the use and maintenance of electronic communications for business purposes. The purpose of the alert is to remind advisers of their obligations related to personal use of electronic messaging and the requirements for … Continued