The threat of a data breach is always present. The emails you send (or open), online payments you accept, and the data you store are all possible liabilities. Any of these activities could be the one that inadvertently exposes your clients' sensitive information or your business's secrets.
But you knew that. What you may not be aware of is how many tools are available to help you tighten up your firm's cyber security practices. In fact, the Securities and Exchange Commission's Division of Investment Management just released a guide [PDF] that sheds some light on how to shore up your digital affairs.
And for more incentive to take these insights to heart, ThinkAdvisor reports registered investment advisors that have a data breach but haven't implemented the SEC's best practices could face regulatory action.
With that in mind, let's take a look at the security practices the SEC recommends.
1. Conduct periodic assessments of tech systems.
The SEC's guide states that your assessment should account for:
- The nature of the information your firm collects.
- How sensitive that information is.
- Where that confidential information is located.
- The systems in place to store or process that data.
Taking inventory of what data you have and how it's handled can give you a better idea of how to protect it. For example, separating sensitive data from the hoard allows you to limit access to that information. The fewer people who can access it, the better protected it is.
The SEC also recommends that you evaluate both internal and external cyber threats. This may require the help of an information security professional.
2. Create a strategy for preventing, detecting, and responding to cyber security threats.
Another golden rule from the SEC: create a plan for sniffing and snuffing out cyber risks. The guide recommends…
- Controlling access to various systems and data.
- Encrypting data.
- Backing up data.
- Developing an incident response plan.
That last point is of particular interest because a data breach response plan may cut down your overall costs if you ever do have an incident. Ponemon Institute's 2014 Cost of Data Breach Study [PDF] states strong security and a formal incident response plan can reduce the average cost of a data breach from $21 per record to $17 per record. That may not seem like huge savings, but when you're dealing with hundreds of exposed records, it adds up.
To learn more about the cost of a breach, read "Data Breach at Accounting Firm Could Cost Big Bucks."
3. Implement cyber security strategy through written policies and training.
Creating a formal cyber security policy can help get your staff on the same page about best practices and reinforce expectations and procedures. Plus, training is the best way to ensure your employees…
- Understand what cyber risks they may come up against.
- Can detect those risks and avoid them.
- Know how to report potential threats.
Though the SEC's recommendations can certainly help you minimize the likelihood of a security incident, they don't eliminate the risk altogether. That's why, as the final component of your cyber security plan, you might want to consider carrying Cyber Liability Insurance.
This policy can help you pay for the expenses that accompany a data breach, such as the cost of:
- Notifying affected parties.
- Investigating the breach.
- Repairing your security.
- Managing your firm's PR in the aftermath.
Granted, there's no policy that will prevent a cyber attack, but this coverage does give you the means to pick up the pieces so a breach doesn't bleed your bottom line.