managing-cybersecurity-compliance
Evaluates cybersecurity programs against SEC, FINRA, and state regulatory requirements. Use when assessing cybersecurity compliance, implementing security frameworks, or responding to cyber requirements.
Best use case
managing-cybersecurity-compliance is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Evaluates cybersecurity programs against SEC, FINRA, and state regulatory requirements. Use when assessing cybersecurity compliance, implementing security frameworks, or responding to cyber requirements.
Teams using managing-cybersecurity-compliance should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/managing-cybersecurity-compliance/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How managing-cybersecurity-compliance Compares
| Feature / Agent | managing-cybersecurity-compliance | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Evaluates cybersecurity programs against SEC, FINRA, and state regulatory requirements. Use when assessing cybersecurity compliance, implementing security frameworks, or responding to cyber requirements.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Managing Cybersecurity Compliance Evaluates cybersecurity programs against SEC, FINRA, and state regulatory requirements for broker-dealers, investment advisers, and other regulated financial entities. ## When To Use - Assessing a firm's cybersecurity posture against SEC Regulation S-P, Regulation S-ID, or proposed/adopted cyber disclosure rules - Evaluating FINRA compliance with Rules 3110 (supervision), 4370 (BCP), and cybersecurity-related notices (e.g., Regulatory Notice 21-18) - Preparing for or responding to SEC or FINRA cybersecurity examination sweeps - Implementing or benchmarking against NIST Cybersecurity Framework as recommended by SEC/FINRA guidance - Reviewing state-level cybersecurity requirements (e.g., NY DFS 23 NYCRR 500, CCPA/CPRA data security obligations) [VERIFY state applicability based on firm registration and customer base] - Responding to a cyber incident that triggers regulatory notification obligations ## Inputs To Gather - **Firm profile**: Registration type (BD, IA, dual), AUM/customer account volume, number of offices and employees - **Existing policies and procedures**: Written information security policy (WISP), incident response plan, BCP, vendor management policy, data governance/classification policy - **Prior examination results**: SEC exam deficiency letters, FINRA findings, internal audit reports related to cybersecurity - **Technical environment summary**: Network architecture overview, cloud service providers, third-party vendors with access to customer data or systems - **Current framework alignment**: Whether the firm has mapped controls to NIST CSF, ISO 27001, CIS Controls, or another framework - **Incident history**: Prior breaches, near-misses, SARs filed related to cyber events, any Reg S-P breach notifications issued - **Regulatory correspondence**: Any recent SEC or FINRA risk alerts, sweep letters, or information requests related to cybersecurity ## Workflow 1. **Map regulatory obligations** - Identify all applicable SEC rules: Reg S-P (safeguards rule), Reg S-ID (identity theft red flags), proposed cyber incident reporting rules [VERIFY current rule status—check if SEC cybersecurity disclosure rules have been finalized or amended] - Identify FINRA obligations: supervisory procedures for cyber risk, BCP requirements addressing cyber disruption, customer notification duties - Identify state requirements: NY DFS 500 (if applicable), state breach notification laws for each jurisdiction where customers reside [VERIFY state-by-state notification timelines and content requirements] 2. **Assess current controls against requirements** - Evaluate governance structure: designated CISO or equivalent, board/senior management reporting cadence, cybersecurity committee or function - Review access controls: least-privilege implementation, MFA deployment, privileged access management - Assess data protection: encryption at rest and in transit, data loss prevention controls, customer PII inventory and classification - Review vendor/third-party risk management: due diligence process, contractual security requirements, ongoing monitoring - Evaluate incident response readiness: documented IR plan, defined roles and escalation paths, tabletop exercise history, regulatory notification procedures and timelines - Check training program: content coverage (phishing, social engineering, insider threat), frequency, tracking and completion records 3. **Perform gap analysis** - Map each regulatory requirement to specific existing controls or identify gaps - Categorize gaps by severity: critical (direct regulatory exposure), high (material weakness), medium (best-practice shortfall), low (enhancement opportunity) - Cross-reference against recent SEC/FINRA examination priorities and risk alerts to flag areas of heightened regulatory focus 4. **Develop remediation roadmap** - Prioritize gaps by regulatory risk, likelihood of examination scrutiny, and implementation complexity - Assign ownership and target completion dates for each remediation item - Identify quick wins (policy updates, training refreshers) vs. longer-term projects (technology deployments, vendor renegotiations) - Establish interim compensating controls for critical gaps that require extended remediation timelines 5. **Document and report** - Produce a compliance assessment report suitable for senior management or board presentation - Include executive summary, methodology, findings by regulatory domain, risk ratings, and remediation plan - Attach supporting evidence matrix mapping controls to specific regulatory citations ## Output The deliverable is a **Cybersecurity Compliance Assessment Report** containing: - **Executive summary**: Overall compliance posture rating, top risks, and priority actions - **Regulatory obligation matrix**: Each applicable rule/requirement mapped to current control status (compliant, partially compliant, non-compliant, not applicable) - **Detailed findings**: Organized by regulatory source (SEC, FINRA, state), each finding including the requirement citation, current state, gap description, risk rating, and recommended remediation - **Remediation roadmap**: Prioritized action items with owners, timelines, resource estimates, and interim measures - **Appendices**: Control evidence inventory, examination history summary, framework crosswalk (e.g., NIST CSF mapping) ## Quality Checks - Every finding cites a specific regulatory rule, guidance document, or examination priority reference - Gap severity ratings are consistently applied using the defined categorization criteria - Remediation recommendations are actionable (specific steps, not vague directives like "improve cybersecurity") - State-specific requirements are flagged with [VERIFY] where jurisdiction-dependent variations exist - Report distinguishes between binding regulatory requirements and voluntary best-practice recommendations - Incident notification timelines are accurate for each applicable regulator and state [VERIFY current timelines—SEC, FINRA, and state requirements change frequently] - No assumptions are made about the firm's technical environment without input data; missing information is noted as a gap in the assessment