SEC Affirms the Need for Custom Security Policies

The Securities and Exchange Commission (SEC) has been increasing its focus on the cyber security program of registered firms. In a recent SEC action, the SEC has highlighted an important point:  That firms must show that they have worked to customize information security policies to meet their specific needs.

The Safeguards Rule (which the Commission adopted in 2000) requires that every broker-dealer registered with the Commission adopt written policies and procedures reasonably designed to: (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

Security Policies Must be Customized

In a recent SEC action against a firm and two executives, one of the key issues was that the firm had apparently used security policy templates but did not provide even the most basic level of customization.  According the SEC action:

The Safeguards Rule Policy contained blanks to be filled in later, such as: “[The Firm] has adopted procedures to protect customer information, including the following: [methods].”

Does this sound far-fetched?  Many auditing firms have found written security policies submitted as evidence that still have “Company X” as the firm name, a sure sign the Information Security Policies Made Easy was used for templates, but no attention was being paid to the actual content.  While this action was focused on the SEC safeguards rule, it provides lessons for any firm trying to develop information security policies on a tight budget.

Security Policies should read like a good book

Another temptation is to gather together a series of free sample policies from various sources on the internet.   This is a common practice since most free resources to not offer a complete set of security policy topics.   When various templates are put together from different authors, the security policies will generally fail to work as a coherent set of documents.   In many ways, a group of security policies should read like a good book:  Each chapter covers a different topic, but each chapter works together to tell a complete story.  In the case of written policies, the “narrative” is how the organization will protect information.

Security Policies are Like Legal Contracts

One of the comments we often make to legal firms is that information security policies are like legal contracts.   An experienced attorney can tell when an “amateur” with no real legal skill has developed a contract.   Similarly, a skilled information security auditor can tell when a firm has simply copied boilerplate policy templates.   Don’t make this mistake!   Get professional security policy help to develop your written security policies. While you can certainly save thousands of dollars and get a great head start by purchasing templates, make sure they are properly tailored for your business.