By now, every Securities and Exchange Commission-registered investment advisor should have a written cybersecurity policy. That was the first piece of advice Cary Kvitka, our cyber-security legal expert, gave me in a recent update on the topic, which included a review of SEC oversight.
The SEC’s Office of Compliance Inspections and Examinations issued Risk Alerts in 2014 and 2015, identifying cybersecurity as a critical concern and describing the nature of upcoming cybersecurity-focused examinations. In the process, OCIE identified the types of information it would be requesting in those examinations. In September 2015, for example, it announced that the upcoming round of examinations would focus on:
• Governance and Risk Assessment, which generally evaluates whether advisors: 1) have cybersecurity governance and risk assessment processes to address OCIE’s stated focus areas, 2) are periodically evaluating cybersecurity risks, 3) have implemented cybersecurity infrastructure and risk assessment processes tailored to business operations, and 4) engage in communications to and from senior management.
• Access Rights and Controls, that is whether advisors are at risk of a data breach resulting from the failure to implement basic controls to prevent unauthorized access to systems or information, and evaluation of the way in which they manage user credentials, authentication, and authorization methods.
• Data Loss Prevention, which would include analyses of how advisors monitor: 1) the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads, and 2) unauthorized data transfers.
• Vendor Management, including an assessment of an advisor’s due diligence, monitoring and vendor oversight process, in addition to an evaluation of relevant contract terms.
• Training, which could focus upon the ways in which advisors prevent data breaches resulting from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured internet connection, or downloading attachments from an unknown source.
• Incident Response, for which examiners would assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible data breaches.