SEC’s Formal Risk Alert And DDQ Questions To Ask Yourself

sec formal risk alert ddq due diligence questions securities and exchange commission

One of the largest mistakes a financial institution can make with today is to ignore or underestimate the importance of IT infrastructure and cybersecurity. It’s easy to adopt a mentality of “nothing is broken, why fix it” when it comes to operations, but that mindset will expose the company to an ever-growing array of digital threats. 

Financial operations are transitioning to become more dependent than ever on technology. The benefits are numerous, ranging from faster transactions, more accurate calculations, and quicker settlements. However, the growing reliance on technology also opens a firm up to potential vulnerabilities every step of the way. 

When it comes to digital security today, there is no foolproof system. The ever-changing technology means that it is nearly impossible to recognize every potential vector of attack. While it is of utmost importance to try to prevent as much risk as possible proactively, it is inevitable that some leakage will occur. This could be due to a system vulnerability, but the leak is far more likely to happen due to an employee accident. 

Assessing the vulnerabilities of your firm is not easy. Fortunately, a highly recommended way to monitor your firm’s technological safety is through a due diligence questionnaire (DDQ), which is typically put together by a subject matter expert. 

A comprehensive DDQ provides a very detailed way to assess and monitor almost every potential vulnerability in your network, including your vendors and third-party consultants. It should be able to dive deep enough to have a deep understanding of the data distributed to each party and the level of security in place. 

The financial industry is far behind on digital security. On April 16 th 2019, the SEC’s Office of Compliance Inspections and Examinations (OCIE) launched a formal Risk Alert that raised a flag on common deficiencies that first face – such as handling sensitive customer data on unsecured devices or having system vulnerabilities. This report came to light after the SEC audited a number of different financial firms. 

At Agio, helps vendors that operates with cutting edge IT and digital security services. After OCIE’s Risk Alert, Agio updated their comprehensive SEC cybersecurity mock audit service, which is offered to clients to replicate the scenarios that real life firms are assessed on during an audit. To help clients with their digital security needs, Agio has included a few questions that are asked during a mock audit process. 

Technology Vendor 

• When did the firm last perform thorough due diligence on its current IT vendors? 
• What kind of data is sent to each vendor? Is that data necessary? 

Data Management 

• Is there a formal and documented policy to handle data leaks? 
• Is there old or depreciated software still being used in everyday operations? 
• What third-party platforms are used to aggregate data? And how is the data being stored? 
• How is client data secured? Are there safeguards to prevent copying client data onto external devices or being sent over email? 

Network Security Policy 

• Does the firm have an intrusion detection system (IDS) to prevent unauthorized access? 
• Are employees appropriately trained to identify common phishing attempts? 
• Is there a solution in place to ensure devices are secure in the event of loss or theft? 

Disaster Recovery 

• Is there a formal and tested disaster recovery plan? 
• Are there dedicated sites or locations to preserve data and back up data?

Bootstrap Business Blog Newest Posts From Mike Schiemer, Guest Posts, & Blog Outreach Services