SEC Clarifies RIAs’ Cybersecurity Obligations - Think Advisor

According to OCIE, this next round of examinations would focus on:

  • Governance and risk assessment, which generally evaluates whether registered investment advisors have cybersecurity governance and risk assessment processes to address OCIE’s stated focus areas; are periodically evaluating cybersecurity risks; have implemented cybersecurity infrastructure and risk assessment processes tailored to business operations; and are communicating with senior management.  Advisor Armor's 12 Step Information Governance Development Process provides the customized documentation required for inspection and training.

  • Access rights and controls, i.e., whether registered investment advisors are at risk of a data breach resulting from the failure to implement basic controls to prevent unauthorized access to systems or information, and evaluation of the way in which they manage user credentials, authentication and authorization methods.  Advisor Armor's technology provides the monitoring needed to both train and control required processes and procedures.

  • Data loss prevention, which would include analysis of how registered investment advisors monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads; and unauthorized data transfers.  Advisor Armor's combination of training, testing and monitoring makes client's "target hard" and less attractive to those with bad intentions.
  • Vendor management, including an assessment of a registered investment advisor’s due diligence, monitoring and vendor oversight process, in addition to an evaluation of relevant contract terms.  Advisor Armor provides the vendor vetting process documentation required to successfully vet both physical and electronic vendors.
  • Training, which could focus on the ways in which registered investment advisors prevent data breaches resulting from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured Internet connection or downloading attachments from an unknown source.  Advisor Armor combines electronic and paper coverage within world class and ongoing training and evaluation programs.
  • Incident response, for which examiners would assess whether firms have established policies, assigned roles, assessed system vulnerabilities and developed plans to address possible data breaches.  Advisor Armor fully manages security incident response including required reporting and recovery to pre-event status.  MORE