On April 15, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a risk alert, which notified investment advisors that its upcoming examinations will focus on cybersecurity. The risk alert follows OCIE’s announcement of its 2014 examination priorities identifying technology as a significant initiative, and the SEC’s March 26 cybersecurity roundtable, which emphasized the need for stronger partnerships between the SEC and the private sector to address cybersecurity threats. These recent actions unmistakably signal that the SEC is focused on cybersecurity as a critical public threat.
Shortly after releasing the risk alert, the SEC began conducting examinations of more than 50 registered broker-dealers and investment advisors to gauge “cybersecurity preparedness.” These examinations are ostensibly designed to help the SEC identify the areas in which SEC-registered entities are already addressing cybersecurity threats and, of course, those areas where cybersecurity measures could be improved.
For these examinations, the SEC provided a sample list of questions that comprises 28 requests with multiple sub-parts. The list addresses a broad range of issues and technical complexity. For example, one of the simpler questions is whether an RIA maintains an inventory of the physical devices and systems used at the firm. Some more complex questions include whether the RIA maintains protection against distributed denial of service (DDoS) attacks for critical Internet-facing IP addresses; whether the RIA maintains baseline information about expected events on the firm’s network; and whether the RIA aggregates and correlates event data from multiple sources to assist in detecting unauthorized activity on its networks or devices.
Other questions address whether RIAs allocate liability for cybersecurity breaches that adversely affect their clients. In particular, Question 8 asks whether the RIA maintains insurance specifically covering losses and expenses attributable to cybersecurity incidents. In addition, Question 17 asks RIAs to provide sample copies of vendor agreements to show whether they incorporate requirements relating to cybersecurity risk. These questions not only trigger RIAs to develop policies and procedures, but also to potentially obtain cybersecurity insurance policies and update their third-party vendor and confidentiality agreements to specifically address liability for cybersecurity breaches.
Despite the absence of a formal regulation on this matter (such as Regulation S-ID, addressing identity theft and potentially fraudulent third-party transfers, which became effective in November 2013), it is clear that RIAs should develop policies and procedures to reduce the risk of cybersecurity breaches.
The policies and procedures that RIAs develop in this respect should be tailored to the sample list of questions. They should also be resource-driven, meaning that RIAs should only adopt such policies and procedures to the extent that they are necessary to protect their clients and that are tailored to the RIA’s actual business practices. Given the complexity of the questions on the list, it would also be reasonable for RIAs to consult with their IT staff or third-party vendors before drafting such policies and procedures.
Universally, however, RIAs should implement cybersecurity policies and procedures that:
Identify the cybersecurity risks to the RIA’s systems, assets, data and capabilities.
Limit or contain the impacts of potential cybersecurity events.
Identify the occurrence of cybersecurity events.
Identify appropriate activities to combat detected cybersecurity breaches.
Restore any capabilities or services impaired as a result of a cybersecurity event.