What Am I Looking At? Making Sense of Your Cyber Testing Reports

It’s no surprise that Compliance and IT do not speak the same language. Compliance staff often speak in terms of regulations and policies, whereas bits and bytes are the language of IT staff.

This distinction is clear when it comes to cybersecurity risk management, as the compliance and IT audiences are looking for different takeaways when reviewing cybersecurity testing reports, according to E.J. Yerzak, Director of Cyber IT Services at CSS, and Korrine Kohm, Director of Retail Wealth Manager Services at CSS, who presented on the topic at the CSS/Ascendant compliance conference in San Diego in coordination with Martin Voelk, Chief Hacking Officer of GigIT, Inc.

Their session, “The Threat is Real – Understanding Your Cyber Testing Reports,” explained various types of cybersecurity testing that many investment advisers are retaining firms to conduct, from phishing testing to vulnerability scanning to various types of penetration testing (network, web application, and Wi-Fi), as well as the difference between each testing approach. And since all cyber testing is essentially designed to assess cyber risk, the speakers discussed industry standard vulnerability frameworks such as the Common Vulnerability Scoring System (CVSS) ranking scale and the use of CVE Identifiers to uniquely identify a specific vulnerability.

Given the numerous agency regulations that now require or strongly recommend periodic cybersecurity testing and set forth specific frequencies for such testing, it is now more important than ever that compliance and IT get on the same page when it comes to understanding their firm’s cyber risk exposure, and what is being done to address those risks. Compliance need not become an IT person, but can certainly benefit from developing a good working knowledge of, and obtaining more comfort with, the different types of cyber testing, the various parts of a cyber report, and how much risk a particular vulnerability presents to the firm.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Time to Use the Bat Phone: Who to Call When a Compliance Officer Needs Help?

It seems that the burden of work continues to increase for compliance professionals in the investment management industry. While also ensuring that their compliance program is effective, compliance officers must also be aware of cybersecurity threats, business continuity plans, new regulations, changes in business strategy, and more – all while doing this under a work … Continued

Texas Outlaws and a Silver Bullet: Position Limits in the USA

In this first installment on position limits, Regulatory Guidance expert Greg Hotaling surveys the current landscape of position limits imposed for U.S.-listed commodity derivative holdings, which can affect investment firms and other speculative investors regardless of where they are based. Stay tuned for coverage of EU position limits in the next edition. “Who shot J.R.?!” … Continued

FAQs From the Cyber Desk

Cybersecurity is a fast-moving target, so it is not uncommon for firms to have questions when it comes to assessing and understanding their cybersecurity risks. Here at CSS we receive a lot of cybersecurity questions, so we thought we would take the time to answer 10 of the most common Frequently Asked Questions. (1) What … Continued