Advisors better move quickly to enhance their cybersecurity policies and operational infrastructures to respond to a report recently issued by the Securities and Exchange Commission’s Office of Compliance and Inspections.
The Cybersecurity Best Practices Report highlights what the SEC staff expects to see during its examinations of investment advisors and what actions advisors must take to avoid deficiency letters or possible enforcement action.
OCIE’s Jan. 27 report summarized its findings of the cybersecurity best practices of investment advisors, broker-dealers and other SEC registrants from thousands of examinations. It is intended to help registrants enhance their cybersecurity preparedness and operational resilience in line with SEC expectations.
As investment advisors are well aware, cybersecurity continues to be one of the SEC’s top examination priorities, as it has been the focus of eight OCIE risk alerts to date. As a result, firms are advised to position cybersecurity as a top priority in their risk assessments.
“Tone at the top” is always a key focus of SEC examiners, and cybersecurity is no exception. Firms should ensure that their senior-level executives set the cybersecurity strategy and maintain oversight over the firm’s operational infrastructure.
Once written procedures are amended to reflect the guidance of the report, as applicable, cybersecurity risk assessments can be modified to align with the updated procedures by identifying, managing and mitigating identified risks.
Of course, the SEC staff always seeks to verify that firms do what they claim to do, and comprehensive testing and monitoring will ensure that firms are able to update their procedures in alignment with actual practices and process developments. In addition, critical to internal and external stakeholders, as well as regulators, is the development of a communication plan in the event of cybersecurity incidents.
Data security is the centerpiece of all cybersecurity programs, and the report highlights key ways to ensure appropriate access rights and controls, mobile security and data loss prevention. Firms are advised to allocate access to systems and data based on job responsibilities, and then manage and monitor that access on an ongoing basis.
Mobile security is increasingly important as well, and cybersecurity policies should address applicable policies, training, security measures to prevent transfer of firm information to personal devices and should also include the use of device management applications.