The Securities and Exchange Commission (SEC) has been increasing its focus on the cyber security program of registered firms. In a recent SEC action, the SEC has highlighted an important point: That firms must show that they have worked to customize information security policies to meet their specific needs.
The Safeguards Rule (which the Commission adopted in 2000) requires that every broker-dealer registered with the Commission adopt written policies and procedures reasonably designed to: (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Security Policies Must be Customized
In a recent SEC action against a firm and two executives, one of the key issues was that the firm had apparently used security policy templates but did not provide even the most basic level of customization. According the SEC action:
The Safeguards Rule Policy contained blanks to be filled in later, such as: “[The Firm] has adopted procedures to protect customer information, including the following: [methods].”
Does this sound far-fetched? Many auditing firms have found written security policies submitted as evidence that still have “Company X” as the firm name, a sure sign the Information Security Policies Made Easy was used for templates, but no attention was being paid to the actual content. While this action was focused on the SEC safeguards rule, it provides lessons for any firm trying to develop information security policies on a tight budget.
Security Policies should read like a good book
Another temptation is to gather together a series of free sample policies from various sources on the internet. This is a common practice since most free resources to not offer a complete set of security policy topics. When various templates are put together from different authors, the security policies will generally fail to work as a coherent set of documents. In many ways, a group of security policies should read like a good book: Each chapter covers a different topic, but each chapter works together to tell a complete story. In the case of written policies, the “narrative” is how the organization will protect information.