This is an extended version of the article that appeared in the November 2015 issue of Investment Advisor.
In April 2014, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert indicating that the SEC would focus on cybersecurity as a major issue. Almost 18 months later, many registered investment advisors still seem to be confused about what, exactly, they are required to do to comply with SEC guidance to protect their clients’ confidential information from would-be hackers and other forms of data breaches (such as lost or stolen laptops containing confidential information).
Two SEC-driven developments in September 2015 clarified those obligations. It is clear that registered investment advisors are obligated to: implement robust technical controls to protect their clients’ sensitive and confidential information from reasonably foreseeable threats; and adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of that information.
A Brief History of the SEC’s Cybersecurity Initiative
On March 26, 2014, the SEC sponsored a cybersecurity roundtable, during which Chairwoman Mary Jo White stressed the importance of cybersecurity to the integrity of the financial market system and customer data protection. White discussed the “compelling need for stronger partnerships between the government and private sector” to address cyberthreats.
With respect to SEC-regulated financial institutions, these “stronger partnerships” have apparently taken the form of examining cybersecurity practices and bringing enforcement actions against those whose failure to implement and document robust cybersecurity practices have resulted in the loss of clients’ confidential information.
On April 15, 2014, OCIE released a Risk Alert announcing its cybersecurity initiative. As part of this initiative, OCIE announced that it would conduct examinations of more than 50 financial institutions, including registered investment advisors, focused on: cybersecurity governance; identification and assessment of cybersecurity risks; protection of networks and information; risks associated with remote customer access and funds transfer requests; risks associated with vendors and other third parties; detection of unauthorized activity; and experiences with certain cybersecurity threats.
This Risk Alert attached a list of sample questions comprising 28 requests with multiple sub-parts, which address a broad range of issues and technical complexity. For example, one of the simpler questions is whether a firm maintains an inventory of the physical devices and systems. Some more complex and technical questions include: whether a firm maintains protection against distributed denial of service (DDoS) attacks for critical Internet-facing IP addresses; whether the firm maintains baseline information about expected events on its network; and whether the firm aggregates and correlates event data from multiple sources to assist in detecting unauthorized activity on its networks or devices.
September 2015 Developments
On Sept. 15, 2015, OCIE released another Risk Alert to elaborate upon “the areas of focus for OCIE’s second round of cybersecurity examinations, which would involve more testing to assess implementation of firm procedures and controls.”