The SEC has been clear on what it expects from advisors on data protection. Are you up to speed?
By now, every Securities and Exchange Commission-registered investment advisor should have a written cybersecurity policy. That was the first piece of advice Cary Kvitka, our cyber-security legal expert, gave me in a recent update on the topic, which included a review of SEC oversight.
The SEC’s Office of Compliance Inspections and Examinations issued Risk Alerts in 2014 and 2015, identifying cybersecurity as a critical concern and describing the nature of upcoming cybersecurity-focused examinations. In the process, OCIE identified the types of information it would be requesting in those examinations. In September 2015, for example, it announced that the upcoming round of examinations would focus on:
• Governance and Risk Assessment, which generally evaluates whether advisors: 1) have cybersecurity governance and risk assessment processes to address OCIE’s stated focus areas, 2) are periodically evaluating cybersecurity risks, 3) have implemented cybersecurity infrastructure and risk assessment processes tailored to business operations, and 4) engage in communications to and from senior management.
• Access Rights and Controls, that is whether advisors are at risk of a data breach resulting from the failure to implement basic controls to prevent unauthorized access to systems or information, and evaluation of the way in which they manage user credentials, authentication, and authorization methods.
• Data Loss Prevention, which would include analyses of how advisors monitor: 1) the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads, and 2) unauthorized data transfers.
• Vendor Management, including an assessment of an advisor’s due diligence, monitoring and vendor oversight process, in addition to an evaluation of relevant contract terms.
• Training, which could focus upon the ways in which advisors prevent data breaches resulting from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured internet connection, or downloading attachments from an unknown source.
• Incident Response, for which examiners would assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible data breaches.
Cary also mentioned that a critical footnote in the September 2015 OCIE Risk Alert references Regulation S-P, Rule 30(a), which requires advisors to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information, must be reasonably designed to:
1. Insure the security and confidentiality of customer records and information; 2. Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and 3. Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Within this Risk Alert, the footnote signals that RIAs that do not adopt written policies and procedures to address the risk of data breaches/unauthorized access through hacking or electronic means are potentially violating Rule 30(a).
When OCIE announced its 2019 examination priorities, it specifically indicated it will emphasize cybersecurity practices at investment advisors with multiple branch offices, including those that have recently merged with other investment advisors. Now advisors need to pay close attention to what their written cybersecurity policies require.
Generally, we recommend they conduct a review of cybersecurity policy at least annually. In the process, they should evaluate whether to update the cybersecurity policy, procedures, or infrastructure based upon the risks it faces. The annual review also should ensure that the firm has been compliant with all policy requirements, (such as maintaining inventories, sign-in sheets for education / review sessions, tracking access rights, etc.) and that the written cybersecurity policy reflects current information and practices.
In summary, the SEC has made its position clear. Have you kept pace?
Thomas D. Giachetti is chairman of the Securities Practice Group of Stark & Stark. He can be reached at firstname.lastname@example.org.