ACA Aponix - Best North American Cybersecurity Firm
ACA Aponix, a division of ACA Compliance Group, provides financial services firms with a 360-degree, independent approach to technology risk and governance. Conducting a comprehensive risk assessment helps fund mangers to identify potential gaps and vulnerabilities, which the ACA Aponix team works through with each client to mitigate these risks.
"Our product offering encompasses cyber risk assessments as well as conducting mock audits, to not only help our clients prepare for a regulator visit but also test their ability to respond to a cyber breach, were it to happen," comments Anand Mohabir, Senior Principal Consultant.
At a high level, the ACA product offering involves performing risk assessments, mock audits, vendor diligence, network testing (both internal and external), training (which includes phishing exercises), tabletop exercises and helping clients produce a Written Information Security Program (WISP).
Mohabir confirms that this year, ACA Aponix has been focused on providing education to its clients, part of which has been conducted via a series of eight webinars designed to bring clients up to speed on issues that they need to know personally, which they can then apply as best practices within their organisations.
"We have developed an internal training platform that clients can use to help gauge their employees' knowledge and understanding of cybersecurity as it relates to their daily work. We launched this at the start of the year," confirms Mohabir, adding:
"The way we feel individuals will help a firm move forward is to practice better cybersecurity hygiene."
Managers are not only dealing with the broad cyber risks and phishing campaigns of hackers, they are also dealing with the regulatory aspect as well. In years gone by, investment advisors tended to focus on protecting their network perimeter from external attacks by conducting annual penetration tests and regarded this as being cyber secure.
"Today, however, they realise that is not enough. Most of the risks that managers face are internal. Many are facing the challenge of how to put controls and processes in place to protect their overall firm. Through our risk assessment process we help clients focus not just on the technology infrastructure but also on people, process, workflow and understanding how individuals do their jobs. It's only by understanding how a firm operates that one can identify potential risks," says Mohabir.
One important element of the risk assessment is vendor due diligence.
As Mohabir explains: "We look to identify data and then classify it, before determining who has access to that data. In many cases that is going to be one of the manager's service providers. We go through this with each client and highlight potential risks with their vendors as part of the vendor due diligence process.
"We also perform mock audits with clients and run table-top exercises. These are designed to help clients test their Incident Response Plans under different scenarios. From a cyber perspective, it might be necessary to invoke the BCP if the IRP calls for it. The focus should always be on testing both the IRP and BCP."
On winning this year's award, Mohabir concludes: "We try to bring a high level of service to each client as if we were an employee responsible for technology security of their firm. This perhaps explains why we have won the award for the second year in succession, which we are very proud of.