SEC Risk Alert: Observations from Cybersecurity Examinations of Investment Advisers

August 14, 2017

On August 7, 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of U.S. Securities and Exchange Commission (“SEC”) released a Risk Alert which details its examination of the cybersecurity preparedness of 75 broker-dealers, investment advisers and investment companies in the U.S.  In comparison to prior cybersecurity examinations, this exam involved more active testing and validation of the firms’ procedures and controls related to cybersecurity. Click here to read the Risk Alert.

During these exams, SEC staff focused on six areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.

The SEC found two overarching themes. First, it found that firms were better prepared during this examination than during the 2014 Cybersecurity Initiative exams. And secondly, the staff found that, in some areas examined, such as penetration testing and data breach notification, investment adviser firms tended to be less prepared than broker-dealers.

Common Weaknesses

The staff noted three main areas of weakness across firms. First, the staff found that even where an investment adviser firm had cybersecurity policies and procedures in place, in some cases the procedures were too general or vague to be useful to the firm’s employees. Investment adviser firms should develop procedures that give specific, not merely general, guidance. To maximize employee comprehension and adherence, an investment adviser firm’s policies and procedures should include concrete examples and specific procedures tailored to the firm’s practices

A second area of weakness was the investment adviser firm’s failure to enforce its policies and procedures or to ensure its policies and procedures were tailored to the firm’s needs. This risk is not limited to an investment adviser firm’s cybersecurity practices; a firm whose cybersecurity policies and procedures are not adequately tailored may also have similar deficiencies throughout their compliance program.

The third area of weakness identified in these cybersecurity examinations was inadequate system maintenance. Some examinees were found to be using outdated operating systems or other software that was no longer supported with security updates by the manufacturer. Running software without security updates leaves an investment adviser vulnerable to otherwise avoidable cybersecurity losses. Furthermore, the staff also found situations in which some examinees had identified vulnerabilities during cybersecurity testing but failed to take action to remediate their findings.

SEC Guidance

The staff concluded the Risk Alert with a non-exhaustive list of elements the staff found present in the policies and procedures of examinee firms with robust cybersecurity programs. This included:

  • Keeping a detailed inventory of data, information, and vendors
  • Giving specific instructions in the policies and procedures, including examples where helpful
  • Regularly testing technology systems and implementing cautious but timely security patch deployment to all machines
  • Establishing and enforcing controls for access to firm data or systems, including
    • Acceptable use policies
    • Mobile device management
    • Requiring vendors to provide activity logs detailing their use of the firm’s system; and
    • Immediate or near-immediate termination of system access for terminated employees
  • Mandatory employee training, both upon hire and periodically throughout the year; and
  • Active engagement by senior management

Conclusion

Information security is not a destination but an ongoing journey that constantly changes and evolves. An investment adviser firm cannot rely solely on its vendors or its affiliated broker-dealer (if any) to implement cybersecurity practices that will thoroughly protect the investment adviser firm. Nor can a firm fail to monitor and update its own cybersecurity practices to meet evolving threats.

Although we are not information security experts, RIA Compliance Consultants has identified some best practices that investment adviser firms can use to supplement their discussions with IT staff and information security consultants. Click here to purchase our Cybersecurity Best Practices Checklist or click here to view our Cybersecurity Package, which includes both the checklist and our Cybersecurity for Investment Advisers webinar.

In addition, Bryan Hill, president of RIA Compliance Consultants, will be presenting a session on cybersecurity developments affecting investment adviser firms at our Investment Adviser Conference coming up on Thursday, August 24, 2017. Click here to register for this exciting event.

If you would like more information regarding the Cybersecurity Best Practices Checklist or any of our compliance support services, contact your consultant or click here to schedule an introductory call.

Posted by Grant Parr
Labels: Common Deficiencies, Cyber Security, Cybersecurity, Examination, Privacy, Risk Alert, Risk Assessment, Sample Forms, SEC