On August 7, 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of U.S. Securities and Exchange Commission (“SEC”) released a Risk Alert which details its examination of the cybersecurity preparedness of 75 broker-dealers, investment advisers and investment companies in the U.S. In comparison to prior cybersecurity examinations, this exam involved more active testing and validation of the firms’ procedures and controls related to cybersecurity. Click here to read the Risk Alert.
In the final rule release for Rule 206(4)-7 of the Investment Advisers Act of 1940 (“Investment Advisers Act”), which requires investment advisers registered with the Securities and Exchange Commission (“SEC”) to adopt and implement written policies and procedures, the SEC indicated that when designing investment advisory policies and procedures each investment adviser “should first identify conflicts and other compliance factors creating risk exposure for the firm and its clients in light of the firm’s particular operations and then design policies and procedures that address those risks.” This process of an investment adviser identifying these risks is commonly referred to as a risk assessment. As RIA Compliance Consultants previously discussed, a risk assessment should serve as a mechanism for an investment adviser to identify its unique set of risks and evaluate what risks are present and how such risks affect the investment adviser and its business operations. A risk assessment should be a critical step used when developing strong written policies and procedures.