What Am I Looking At? Making Sense of Your Cyber Testing Reports

It’s no surprise that Compliance and IT do not speak the same language. Compliance staff often speak in terms of regulations and policies, whereas bits and bytes are the language of IT staff.

This distinction is clear when it comes to cybersecurity risk management, as the compliance and IT audiences are looking for different takeaways when reviewing cybersecurity testing reports, according to E.J. Yerzak, Director of Cyber IT Services at CSS, and Korrine Kohm, Director of Retail Wealth Manager Services at CSS, who presented on the topic at the CSS/Ascendant compliance conference in San Diego in coordination with Martin Voelk, Chief Hacking Officer of GigIT, Inc.

Their session, “The Threat is Real – Understanding Your Cyber Testing Reports,” explained various types of cybersecurity testing that many investment advisers are retaining firms to conduct, from phishing testing to vulnerability scanning to various types of penetration testing (network, web application, and Wi-Fi), as well as the difference between each testing approach. And since all cyber testing is essentially designed to assess cyber risk, the speakers discussed industry standard vulnerability frameworks such as the Common Vulnerability Scoring System (CVSS) ranking scale and the use of CVE Identifiers to uniquely identify a specific vulnerability.

Given the numerous agency regulations that now require or strongly recommend periodic cybersecurity testing and set forth specific frequencies for such testing, it is now more important than ever that compliance and IT get on the same page when it comes to understanding their firm’s cyber risk exposure, and what is being done to address those risks. Compliance need not become an IT person, but can certainly benefit from developing a good working knowledge of, and obtaining more comfort with, the different types of cyber testing, the various parts of a cyber report, and how much risk a particular vulnerability presents to the firm.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

SEC Retail Investor Focus Turns Towards Registered Investment Companies

Earlier this year when the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced its 2018 examination priorities, OCIE stated that a core priority was to protect retail investors, including seniors and individuals saving for retirement. OCIE is now continuing this effort by focusing on mutual funds and exchanged-traded funds (together, the “Funds”) as the … Continued

SEC Alerts Investment Advisers to Review Solicitor Arrangements

On October 31, OCIE issued a new Risk Alert for investment advisers with solicitor arrangements. The SEC periodically releases risk alerts to notify the industry of deficiencies they are finding during examinations, and this latest alert puts investment advisers with solicitor arrangements on notice to check their solicitor agreements, policies and procedures, and disclosure documents. … Continued

Pennsylvania Sounds Warning Bell Over Client Credentials and Custody

The Pennsylvania Department of Banking and Securities (PDOBS) has indicated in recent guidance two concerns related to investment advisers using client credentials to access a custodial account(s). In the letter dated September 25, 2018, PDOBS indicates that the use of client credentials may create custody and is considered to be a dishonest and unethical practice. … Continued