The Role of ITAD in Ensuring Regulatory Compliance and Cybersecurity
The SEC is focusing on the physical security of IT assets, including information technology asset disposition (ITAD).
One area that the SEC is focusing on is the physical security of IT assets. This includes Information Technology Asset Management as well as Information Technology Asset Disposition (ITAD).
In recent years the Securities and Exchange Commission (SEC) has strengthened its focus on the cybersecurity measures regulated entities are taking due to the increasing threat of data breaches. In fact, the SEC created a seven-page sample document request as part of its Cybersecurity Initiative that consists of 28 comprehensive questions for financial institutions that is meant to help firms assess their level of cybersecurity preparedness. Essentially what this means is that the SEC has sent a message to financial service entities that they should be taking steps to assess and upgrade data security at their organization.
One area that the SEC is focusing on is the physical security of IT assets. This includes Information Technology Asset Management as well as Information Technology Asset Disposition (ITAD).
Protecting and safely disposing of IT assets is critical to ensuring data security and remaining compliant with relevant laws and regulations. Often, the retirement of IT assets is the weakest point in a financial service organization's data security strategy.
The SEC's national exam program Risk Alert
This program is also known as the SEC's Cybersecurity Initiative or simply Risk Alert. Beginning in September of 2015, the Office of Compliance Inspections and Examinations (OCIE) examined 75 financial services firms over a period of about one year. According to an article by Harvard University, the OCIE focused on:
- governance and risk assessment
- access rights and controls
- data loss prevention
- vendor management
- training
- incident response
The OCIE then reported their results in a "risk alert" which details cybersecurity practices in the financial industry and recommends best practices.
A notable difference in this initiative compared to past efforts is that there is a greater focus on the physical security of IT assets because lost or stolen IT assets are among the most common causes of a data breach.
Ensuring Secure IT Asset Disposition
According to IBM Security's "Examining the Cost of a Data Breach" data breach calculator, financial organizations in the United States will be forced to spend an average of $11 million per data breach incident. Beyond the monetary cost, data breaches may also damage a financial service organization's reputation and lead to the loss of trust by its customers.
In addition to making sure that all of the appropriate security technologies and procedures are in place, it is also important to address one of the most common causes of data breaches: improper disposal of IT assets that are at the end of their lifecycle.
As you are looking for a solution to this problem for your financial services organization, make sure these processes are in place in order to ensure security:
- Security and protection: Make sure that the ITAD solution you choose for your financial organization destroys or sanitizes the information on all data-bearing assets before they are recycled or refurbished for remarketing.
- Secure chain-of-custody: Your ITAD solution should have a full chain-of-custody in place where a step-by-step history of who possessed any of the assets and a complete audit report is available so you know where the data has been and where it currently resides.
- Third-Party Certification: ITAD industry certifications such as E-Stewards and R2 ensure that electronics recyclers adhere to the most stringent security, environmental, and health and safety standards.
How robust is your ITAD program?
With regulatory bodies focusing more closely on the data security measures that financial services organizations have in place, including ITAD, it is increasingly important to ensure that your ITAD processes are secure and effective.
Make sure that you choose the right ITAD provider by confirming that they have the most effective processes in place – including secure chain-of-custody, complete destruction or sanitization of all media-bearing devices, and full environmental compliance.