Cyber-Security Procedures and Data Classification

In the on-going evolution of the fight against cyber-security threats, broker-dealers and investment advisers need to have robust cyber-security policies and procedures.  One of the initial steps is to think about creating a data classification policy to better understand the real types of sensitive information shared within the firm.  Once you have classified the data maintained in your firm, you transition to the next step, which is to inventory the data maintained by the firm.  Questions to consider at this point include:

  • How do you share information?
  • How do you store/protect/discard that information?
  • Who needs access to the information?
  • How do you ensure that everyone consistently manages data so there are no possible breaches?

To begin with, firms will need to create a basic data classification system to determine the types of data your firm and employees are exposed to and are responsible for each day.  Data typically falls into one of the following categories:

  • Confidential data is data that must be highly restricted, protected and monitored from creation to destruction.  For example, Personally Identifiable Information (PII) of a firms customers would be included in this category.
  • Restricted data is data that is confidential data regarding the firms and its business operations, which may be shared, but only with the consent of the firm for business purposes or within government records laws.
  • Unrestricted data is any data that may be shared with the public without permission.

Once the firm has established data classification categories, it can use those categories as a basis for the completion of its inventory of data, and the establishment of policies on how to share, store, and eliminate data, including the identification of the levels of access given to firm personnel and vendors, and the rationale for their access. Important  question to consider at this point include:

  • Does the job requirement of each employee match the level of data that they have access to?
  • Is each vendor’s access limited to the specific functions?
  • What types of controls should be in place to terminate access to information upon the termination of employment with the firm?

Based upon the current regulatory exam focus of FINRA, the SEC and state regulators, failure to have this basic information categorized, inventoried and related cyber-security policies and procedures implemented as we move into 2017, will almost certainly result in findings of regulatory deficiencies.