Why choosing a cybersecurity auditor may be tougher than you think

With its 2017 list of examination priorities, the Securities and Exchange Commission left little doubt about its zeal for having advisory firms focus their attention on cybersecurity measures. 

“We will continue our initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls,” the SEC said in the statement announcing its examination priorities. 

But advisory firms, which want to conduct cybersecurity audits to pre-empt any future SEC troubles, must reckon with a reality: Cybersecurity auditing is a less than fully developed science.

“Because of the recent focus on cybersecurity from the SEC, this has become a hot topic. Since firms expect this to be included in their next SEC exam, it certainly makes sense to perform an internal audit prior to that,” says Brent Everett, founder, chief investment officer and partner at Talis Advisors in Plano, Texas.

But, “most traditional IT firms don’t understand the complex requirements of our industry and the few that do are focused on servicing large enterprises, not the typical small to medium-sized RIAs,” he says.

Until more options develop, advisory firms must choose among the “service providers that have sprung up to address this area of the market,” Everett says.

It is an imperfect situation. 

“As the requirements are still rapidly evolving, there is still little standardization of the audit process, what is required and what is provided. This makes it quite difficult to compare services from different suppliers,” Everett says.

Caveat emptor rules apply. 

“It’s also quite obvious that many of the suppliers are in the start-up phase and don’t have particularly robust documentation of their processes. It’s an immature industry, and pricing varies wildly; you don’t always get what you pay for,” Everett says. MORE