Advisors better move quickly to enhance their cybersecurity policies and operational infrastructures to respond to a report recently issued by the Securities and Exchange Commission’s Office of Compliance and Inspections.
The Cybersecurity Best Practices Report highlights what the SEC staff expects to see during its examinations of investment advisors and what actions advisors must take to avoid deficiency letters or possible enforcement action.
OCIE’s Jan. 27 report summarized its findings of the cybersecurity best practices of investment advisors, broker-dealers and other SEC registrants from thousands of examinations. It is intended to help registrants enhance their cybersecurity preparedness and operational resilience in line with SEC expectations.
As investment advisors are well aware, cybersecurity continues to be one of the SEC’s top examination priorities, as it has been the focus of eight OCIE risk alerts to date. As a result, firms are advised to position cybersecurity as a top priority in their risk assessments.
“Tone at the top” is always a key focus of SEC examiners, and cybersecurity is no exception. Firms should ensure that their senior-level executives set the cybersecurity strategy and maintain oversight over the firm’s operational infrastructure.
Once written procedures are amended to reflect the guidance of the report, as applicable, cybersecurity risk assessments can be modified to align with the updated procedures by identifying, managing and mitigating identified risks.
Of course, the SEC staff always seeks to verify that firms do what they claim to do, and comprehensive testing and monitoring will ensure that firms are able to update their procedures in alignment with actual practices and process developments. In addition, critical to internal and external stakeholders, as well as regulators, is the development of a communication plan in the event of cybersecurity incidents.
Data security is the centerpiece of all cybersecurity programs, and the report highlights key ways to ensure appropriate access rights and controls, mobile security and data loss prevention. Firms are advised to allocate access to systems and data based on job responsibilities, and then manage and monitor that access on an ongoing basis.
Mobile security is increasingly important as well, and cybersecurity policies should address applicable policies, training, security measures to prevent transfer of firm information to personal devices and should also include the use of device management applications.
The report also notes best practices for data loss prevention, including monitoring vulnerabilities and threats, addressing hardware and software inventory and disposition, and establishing perimeter security and a patch management program.
The only way to truly test the mettle of your cybersecurity program is to fine tune your firm’s incident response procedures so you can assess your resiliency under threat. In developing your incident response plan, the report advises that firms assign staff with specific roles in the event of a cybersecurity incident, address how to meet reporting requirements and test the plan and recovery plans using a variety of methods.
The risk of not identifying and prioritizing core business services and the impact of individual system failures is dire, so firms are cautioned to develop a strategy for resiliency with tailored risk tolerances.
Even if all of your systems are ironclad, human error can capsize your cybersecurity program, so a close eye should be kept on vendors and personnel.
Vendor management oversight should include industry standard questionnaires like the SOC 2 or SSAE 28, and relationships should be reviewed to make sure they meet your requirements. In addition, training should be provided to internal personnel and should be updated as needed.
The report serves as yet another reminder to firms to enhance their cybersecurity policies and procedures in order to avoid SEC deficiency letters and possible enforcement action.
The guidance in the report is detailed and prescriptive, and following it closely is well-advised in order to shore up your firm’s data security.
Senior executives can help to set the cybersecurity culture of compliance and should consider engaging a third party to conduct a review of your firm’s cybersecurity practices, policies and procedures, including a gap analysis with recommended enhancements pursuant to the report. Firms should also keep a close eye out for new developments relating to cybersecurity, such as through the SEC’s Cybersecurity Spotlight page and via alerts from the Cyber Infrastructure Security Agency (CISA).
Dianne Descoteaux, Esq., is compliance director at Cipperman Compliance Services, a CCO outsourcing firm based in Wayne, Pennsylvania. Dianne is an experienced investment management attorney who spent nearly 10 years at SEI Investments following several years in private practice at major law firms. She focuses on fund and adviser regulatory issues.