Since it first announced its “Cybersecurity Initiative” in April 2014, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations has been relentlessly setting its sights on RIA’s information security programs. In fact, as recently as its 2020 Examination Priorities, OCIE noted it will “continue to prioritize information security in each of its five examination programs.”
I spoke with our cyber expert, Cary Kvitka, regarding this increasingly important issue. Our firm has been helping RIAs draft customized cybersecurity policies and procedures under Regulation S-P, Rule 30(a) since April 2014.
Among other things, the rule broadly requires RIAs to adopt written policies and procedures addressing technical safeguards to protect their clients’ data “against any anticipated threats or hazards to the security or integrity of customer records and information; and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.”
Therefore, when we customize written cybersecurity policies and procedures for our clients, we have turned to OCIE’s published guidance to help identify and address their expectations.
We’ve also learned practical lessons, one of which is that size really doesn’t matter much to the SEC’s examination staff. They seem to apply the same standards to RIAs of all sized firms, ostensibly because they all face the same type of palpable risks.
It is simply not enough for RIAs to adopt and enforce narrowly tailored policies and procedures for the protection of their clients’ data from internal or external breaches. Rather, these policies must be evaluated and updated in response to operational changes and evolving risks.
As this pandemic clearly has changed the we conduct business and resulted in increased cybersecurity risks, this is an excellent time for RIAs to conduct a formal risk assessment and consider some changes to their policies, procedures, or infrastructure if appropriate. In doing so, OCIE’s Cybersecurity and Resiliency Observations released not long before the pandemic took hold serves as a benchmark for industry best practices.
In this respect, SEC Chairman Jay Clayton himself opined, “Data systems are critical to the functioning of our markets and cybersecurity and resiliency are at the core of OCIE’s inspection efforts.”