Audits should be done at least annually to ensure the plan is on track. Third-party audits and other vulnerability tests can be useful for exposing deficiencies. The plan should also define a process for collecting, analyzing metrics and providing regular updates to firm leaders to inform them of progress, risks and challenges to completing the action plan.
Keep in mind that documentation will be critical and is typically one of the first pieces of information requested by auditors and regulators. Documentation of everything from training activities, to self-audits and new controls will serve as valuable evidence in the event of a regulatory inquiry.
There is no one size fits all approach to cybersecurity and building a program is not a one-and-done event. Any plan should be dynamic and able to evolve within its framework to adapt to changes in the business, the regulatory environment and trends in cybercrime. Finally, remember that while creating a solid plan is essential, it’s not just about putting the plan on paper. A program will only be effective if it is consistently implemented by employees on a daily basis. Creating a culture of protection where every member of the team is aware and committed to doing their part to protect firm and client assets is the ultimate way to protect your firm from cyber threats.
Nick Georgis is senior vice president of Schwab Advisor Services.