What Am I Looking At? Making Sense of Your Cyber Testing Reports

It’s no surprise that Compliance and IT do not speak the same language. Compliance staff often speak in terms of regulations and policies, whereas bits and bytes are the language of IT staff.

This distinction is clear when it comes to cybersecurity risk management, as the compliance and IT audiences are looking for different takeaways when reviewing cybersecurity testing reports, according to E.J. Yerzak, Director of Cyber IT Services at CSS, and Korrine Kohm, Director of Retail Wealth Manager Services at CSS, who presented on the topic at the CSS/Ascendant compliance conference in San Diego in coordination with Martin Voelk, Chief Hacking Officer of GigIT, Inc.

Their session, “The Threat is Real – Understanding Your Cyber Testing Reports,” explained various types of cybersecurity testing that many investment advisers are retaining firms to conduct, from phishing testing to vulnerability scanning to various types of penetration testing (network, web application, and Wi-Fi), as well as the difference between each testing approach. And since all cyber testing is essentially designed to assess cyber risk, the speakers discussed industry standard vulnerability frameworks such as the Common Vulnerability Scoring System (CVSS) ranking scale and the use of CVE Identifiers to uniquely identify a specific vulnerability.

Given the numerous agency regulations that now require or strongly recommend periodic cybersecurity testing and set forth specific frequencies for such testing, it is now more important than ever that compliance and IT get on the same page when it comes to understanding their firm’s cyber risk exposure, and what is being done to address those risks. Compliance need not become an IT person, but can certainly benefit from developing a good working knowledge of, and obtaining more comfort with, the different types of cyber testing, the various parts of a cyber report, and how much risk a particular vulnerability presents to the firm.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

Giving Voice to Values: A New Approach to Ethics

The “Giving Voice to Values” program grew out of Professor Mary Gentile’s frustration of what was going on in both the financial industry and in higher education. She was frustrated and angry about the poor way that ethics was being taught in universities and applied in real-world scenarios. What developed out of her frustration is … Continued

Tips for Developing a Tailored Private Fund Compliance Calendar

As regulatory concerns proliferate and become more complex, developing and monitoring your “to-do” list becomes of paramount importance.  John Gentile, the Director of Private Fund Manager Services for Compliance Solutions Strategies and Michael Emanuel, a Partner at Stroock & Stroock & Lavan LLP provided attendees of the recent CSS 2019 Fall Conference some insight into … Continued

Brexit: Implications for Shareholders with Threshold Interests

As yet another deadline approaches for the United Kingdom to either leave the European Union with a withdrawal agreement in place or else exit effective immediately in a “no-deal” scenario, it is worth examining how this would affect asset managers subject to the UK regimes for major shareholdings, short selling, and dealing disclosures. First, the … Continued