On January 27, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published observations from examiners pertaining to market participants’ cybersecurity and operational resiliency practices. Resiliency means more than just preventing or responding to a cyber-attack. The term also includes a firm’s ability to operate during a cyber-attack and to recover from it.
OCIE’s findings were drawn from examinations of different entities and, according to the SEC’s press release, serve the following purpose:
The observations highlight certain approaches taken by market participants in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. The observations highlight specific examples of cybersecurity and operational resiliency practices and controls that organizations have taken to potentially safeguard against threats and respond in the event of an incident.
OCIE’s observations recognized that there is no one-size-fits-all approach to cybersecurity preparedness and operational resiliency practices.
RIAs should learn from OCIE’s observations
Although OCIE’s examinations were not limited to Registered Investment Advisers (RIAs), advisory firms can learn from most of the observations. Examiners made observations in a number of areas.
Governance and risk management
Successful cybersecurity programs incorporate components such as:
- A risk assessment to identify, analyze, and prioritize the organization’s cybersecurity risks;
- Written cybersecurity policies and procedures designed to control those risks; and
- Effective implementation and enforcement of the cybersecurity policies and procedures.
Examiners discovered that organizations use numerous risk management and governance measures such as:
- Senior level engagement;
- Risk assessment;
- Policies and procedures;
- Monitoring and testing;
- Ongoing evaluation and adaptation to changes; and
RIAs should regularly and frequently test and monitor the effectiveness of cybersecurity policies and procedures. Firms can make use of cyber-threat intelligence to inform their testing and monitoring.
Access rights and controls
Examiners observed that organizations implemented strategies designed to restrict user access. They also managed and monitored user access by utilizing systems and procedures. In addition, firms established appropriate controls aimed at preventing and monitoring unauthorized access.
Data loss prevention
Data loss prevention relies on a set of tools and processes to ensure that sensitive data, including client information, is not lost, misused, or accessed by users who are not authorized. Data loss prevention measures include vulnerability scanning, perimeter security, and detective security to identify threats upon data endpoints. Endpoints include any device beyond the corporate firewall, such as a laptop, tablet, or mobile phone that connects to the central network.
Examiners observed that firms established policies and procedures governing the use of mobile devices. Employees received training on mobile device policies and procedures and learned how to protect those devices.
Incident response and resiliency
Incident response plans used by firms address the timely detection and appropriate disclosure of material information regarding cyber-related incidents. These plans also evaluate whether corrective actions are appropriate after an incident is detected. Two important components of incident response plans are business continuity and resiliency. If an incident occurs, how long would it take an organization to recover and safely serve clients?
OCIE observed that organizations typically implemented policies and procedures pertaining to:
- Conducting due diligence before selecting vendors;
- Monitoring and overseeing vendors and their contracts;
- Evaluating vendors’ role in the risk management process, as well as the required due diligence; and
- Assessing how vendors protect client information.
RIAs should monitor vendor relationships to ensure that they continue to satisfy security requirements.
Training and awareness
OCIE stressed that training and awareness are key components of cybersecurity programs. Training keeps employees up-to-date regarding cyber-risks and heightens their awareness of cyber-threats. Policies and procedures help to engage workers in the organization’s efforts to build a culture of cybersecurity readiness and operational resiliency. OCIE emphasized that training modules benefit from the inclusion of examples and exercises, such as teaching employees to identify phishing emails. Training should include a discussion of preventive measures, such as responding to indications that a breach has occurred and obtaining customer confirmation of suspicious transactions before they are executed.
As they review OCIE’s observations, RIAs should recognize how serious examiners are about the issue of cybersecurity. OCIE has published eight risk alerts pertaining to cybersecurity. Furthermore, in its 2020 examination priorities, OCIE announced that cybersecurity and data privacy will continue to be an examination priority.
OCIE’s observations can be reviewed HERE
About RIA Compliance Group: RIA Compliance Group is an investment adviser compliance consulting firm based in Delray Beach, Florida. The firm’s mission is to provide affordable, timely, practical, and cost-effective compliance advice. We help investment advisers to comply with the myriad of state and SEC regulations and compliance obligations facing their firms. RIA Compliance Group takes pride in giving personal service and real world compliance advice, not theoretical concepts and legalese. The firm interacts on a daily basis with SEC and state securities regulators.