The Securities and Exchange Commission (SEC) had a busy week regarding investment adviser and broker-dealer cybersecurity. On September 15, 2015 the SEC’s Office of Compliance Inspections and Examination (OCIE) issued a Risk Alert on the topic of its Cybersecurity Examination Initiative. The Risk Alert provides information on the areas of focus for OCIE’s cybersecurity examination (more on this below). The SEC followed up its Risk Alert with an enforcement action against an investment adviser for a cybersecurity incident. The SEC censured the investment adviser and imposed a fine of $75,000. The SEC found that the investment adviser failed to adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”).
A brief background of SEC cybersecurity regulations: in 1999 Congress passed The Gramm-Leach-Bliley Act (GBLA). GBLA created the obligation for financial institutions to create privacy policies and procedures to protect customer information and to establish standards to secure confidentiality of customer information. GLBA applies to investment advisers, broker-dealers and investment companies registered with the SEC.
To enforce the rules promulgated under GLBA the SEC adopted Regulation S-P. Under the Gramm-Leach-Bliley Act and Reg. S-P, a financial institution must provide its customers with a notice of its privacy policies and practices. The firm must not disclose nonpublic personal information about a consumer to nonaffiliated third parties unless the institution provides certain information to the consumer and the consumer has not elected to opt out of the disclosure. These regulations also require financial institutions to take appropriate measures to protect customer information.
As technology has evolved so to have the SEC standards for what constitutes adequate protection of customer information. Fraudsters’ and hackers’ abilities to steal customer information electronically have caused the SEC to begin assessing registered firm’s cybersecurity precautions. The SEC and state securities examiners have begun to crack down on investment adviser firms that do not take appropriate measures to protect sensitive client information. SEC and state securities examiners often conduct audits with the help of IT experts. Their purpose is to make sure that the information securities policies and procedures the investment adviser or broker-dealer firm has put in place protect the safety of client information from foreseeable threats.
As the SEC makes cybersecurity a higher priority, its new Risk Alert highlights some areas investment advisers and broker-dealers can focus on to stay in compliance with securities regulators and to keep clients’ personally identifiable information (PII) (e.g., date of birth, social security number, full account number) safe.
Governance and risk assessment: Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below. Examiners also may assess whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are appropriate for their business.
Access Rights and Controls: Examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.
Data Loss Prevention: Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners also may assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.
Vendor Management: Examiners may assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.
Training: Examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior. Examiners also may review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
Incident Response: Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. This includes determining which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm.
Although we are not information security experts, RIA Compliance Consultants has services and products that can help keep your investment adviser in compliance with cybersecurity regulations. Purchase our webinar, Cybersecurity for Investment Advisers, recorded in October 2014 by clicking here. We also have an annual review tool with questions regarding best practices for cybersecurity, which could help investment advisers and their information security staff. If you would like more information regarding these or any of our compliance support services, contact your consultant if you are an existing client or click here to schedule a time to speak with one of our consultants if you have not previously worked with RIA Compliance Consultants.