Are your written cybersecurity policies actually being implemented?

Prominent industry law firm Stark & Stark has teamed up with Right Size Solutions to ensure that its more than 900 advisory firm clients’ cybersecurity policies can stand up to regulatory scrutiny.

Right Size Solutions, which bills itself as an intelligent cloud technology firm providing business and technology management to the financial services sector, currently provides technology support — including cybersecurity-related policies — to its 85 advisor clients, according to Wes Stillman, Right Size’s founder and president.

Indeed, Stillman warns that advisors who fail to produce a written cybersecurity policy could find themselves with a deficiency noted during their routine exam based on new guidelines from the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations.

OCIE’s National Exam Program released a risk alert in April providing BDs and advisors with a list of questions to help them assess their firms’ cybersecurity compliance, as well as a sample cybersecurity document request that they can expect to receive from the division.

Simultaneous to the release of the risk alert, OCIE said that it launched cybersecurity-related exams of more than 50 registered broker-dealers and RIA firms.

A Stark & Stark spokesperson told ThinkAdvisor that the law firm coordinated with Right Size Solutions to create a cybersecurity policy incorporating Right Size Solutions’ core capabilities. “Once Stark & Stark customizes this cybersecurity policy on behalf of an RIA firm, the cybersecurity policy will not only address the considerations provided in the April SEC/OCIE risk alert, but it will also reflect the RIA firm’s operational procedures as aligned with the particular cybersecurity methods that Right Size Solutions implements.”

“We have the technology, reporting and policies built into our platform that will be customized based on the RIA’s written policies,” explained Stillman. “The RIA and their compliance team must create the actual security policy themselves. However, working with Stark & Stark to prepare the policy makes the process very simple because they have already included our core capabilities into the cybersecurity policy and can now modify the policy to meet each client’s unique requirements.”

The final step in the process is for Right Size Solutions to customize the technology policies to match the RIA’s newly written Cybersecurity Policy.

Stillman told ThinkAdvisor in a recent interview that it’s important for advisors to be able to prove to regulators that their written policies are actually being implemented. State and SEC examiners, he says, will first ask if the advisor has a written policy, but they will “turn around and audit what you’ve written down, [comparing those policies] to what’s implemented in [the firm’s] technology.” For instance, “If you said I want a complex password policy and you create a password that’s 1, 2, 3, 4, then those two things don’t jibe and that’s when the auditors start getting excited,” Stillman says. Right Size, he says, “makes sure that whatever [the advisory firm has] written down in a policy, we have implemented that policy from a technology perspective and that we are able to report on what that is. So when an auditor comes in and says, ‘prove to me that you’re auditing emails, what is that process,’ we are able to say here is the process, the reports and the results of [the advisor’s] work.”

Stillman says that it will “build” a cybersecurity policy that can be tweaked to accommodate the firm’s specific needs. For instance, “some firms may want us to control and manage their mobile devices and others may say ‘we have a policy that says we’re not going to use those devices to communicate with clients,’ so we don’t need those sections” of a specific policy.

Articles by Tom Giachetti, chairman of the securities practice group of Stark & Stark, on ThinkAdvisor: