SEC Continues to Focus on Cybersecurity for Investment Advisers

August 02, 2016

As in 2015, the Securities and Exchange Commission (“SEC”) Examination Priorities for 2016 identify cybersecurity as an area of “potentially heightened [market-wide] risk.” Citing the Office of Compliance Inspections and Examinations (“OCIE”) 2015 Risk Alert, the SEC promised to continue using its exams to evaluate investment adviser firms’ cybersecurity preparedness. Click here to read our blog on the OCIE Cybersecurity Risk Alert.

Given investment advisers’ increasing reliance on technology to support, facilitate, and maintain critical business operations – and an expanding market for illicitly and illegally obtained confidential information – cybersecurity is a foundational component of every healthy investment adviser firm. New technologies, such as cloud computing, can bring new benefits but are accompanied by new risks. An investment adviser firm that does not appropriately plan for the risks associated with its use of technology exposes itself to the potential for the loss of sensitive and confidential information, the consequences of which can include both civil and regulatory liability.

In one of its first enforcement action focusing on cybersecurity, the SEC fined a registered investment advisory firm $75,000 for the firm’s alleged cybersecurity failures that resulted in Chinese hackers gaining access to the personal information of more than 100,000 individuals, the majority of whom were not clients of the firm. Click here to read the SEC enforcement action. In another enforcement action, the SEC fined an investment adviser firm $1 million for its alleged failure to prevent an employee from accessing and downloading unauthorized, confidential client information over a period of three years. After the employee allegedly downloaded the information, investigators believe a third party hacked employee’s personal server and began selling the information online. In its enforcement action, the SEC noted that the investment adviser firm had not reviewed some of its information control procedures for more than 10 years, allowing the employee to exploit detectable defects, and had also failed to monitor employee access logs for unusual or unauthorized activity. Click here to read the SEC press release.

In the ever-changing world of cybersecurity, the need to regularly review your investment adviser firm’s cybersecurity practices remains constant. RIA Compliance Consultants has created a best practices checklist that investment adviser firms can use to supplement their discussions with IT staff and information security consultants. Click here to purchase our Cybersecurity Best Practices Checklist or click here to view our Cybersecurity Package, which includes both the checklist and our Cybersecurity for Investment Advisers webinar. If you would like more information regarding the Cybersecurity Best Practices Checklist or any of our compliance support services, contact your consultant or click here to schedule an introductory call.

Posted by Bryan Hill
Labels: Cyber Security, Cybersecurity, Enforcement, Examination, SEC, SEC Inspection, Uncategorized