[BreachExchange] What are you doing to prevent a data breach

[Audrey McNeil]

https://securitiescompliancesentinel.foxrothschild.com/cyber-
security/what-are-you-doing-to-prevent-a-data-breach/

A broker-dealer recently agreed to pay a $650,000 fine after an OSJ’s cloud
vendor failed to adequately protect customer information. Apparently, an
outside hacker was able to gain access to non-public personal information
about the firm’s customers.

This breach and resulting fine should certainly serve as a wake-up to all
firms, but, in particular, to smaller firms. These firms are those who are
more likely to use outside vendors to maintain cost, but are at greater
risk.

If anything, this fine only enhances the fact that firms are responsible
for the vendors that they hire. A partner of mine taught me long ago that
you can always delegate the task, but not the responsibility. The same
holds true here.

It is perfectly fine to use a cloud vendor or some other third-party for
your firm operations, but you must, at the same time, engage in heightened
diligence. You must do more to protect yourself.

Although you cannot rid yourself of the responsibility to protect client
information, you could assign the risk of loss to the other firm. In other
words, the other firm would have to indemnify you for any fines if their
system is breached.

At the same time, part of your due diligence when hiring a firm must
include asking tough questions. Like, have you ever sustained a breach.
And, if so, have you had another one since.

In short, go ahead and outsource, but make sure you know who you are using.
Ask the hard questions, and protect yourself with negotiated terms in your
contract.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161215/6e5dbc05/attachment.html>