anton4.jpg

Cybersecurity - What have we learned and what have we done?

Regulatory Landscape

In April 2015, the Securities and Exchange Commission ("SEC's") Division of Investment Management issued a guidance update, identifying cybersecurity as a critical issue. Several regulators are in fact focusing on cybersecurity. The SEC guidance update clarified the Staff's view that the following measures need to be undertaken by investment advisers:

1 - Conduct periodic assessments of, among other things:

  • the technology systems that the firm uses,
  • the system's vulnerability to cybersecurity risks,
  • security controls and processes in place, and
  • the governance structure for the management of cyber risk

2 - Create a strategy that is designed to prevent, detect and respond to cybersecurity threats by way of:

  • controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening;
  • data encryption;
  • protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;
  • data backup and retrieval; and
  • the development of an incident response plan.

3 - Implement the cybersecurity "defense" strategy through written policies and procedures and training which would serve to reasonably prevent, detect and respond to any such threats.

The SEC made cybersecurity a significant point of interest for 2015 through their examination priorities and guidance released to the public. That same year, we outlined a variety of best practices that investment advisers and investment companies can incorporate into their current policies and procedures to be prepared in the event of a security breach.

On September 15, 2015, the Office of Compliance Inspections and Examinations ("OCIE") issued a Risk Alert relating to cybersecurity. In 2016, the SEC's OCIE stated that cybersecurity would continue to be a focus area in exams, continuing the efforts OCIE initiated back in 2014 as per their cybersecurity initiative.

Although a summary of previous exam findings has been shared by the SEC, many investment advisers remain significantly behind implementing a cybersecurity program that meets regulator expectations. Case in point, the SEC brought an enforcement action against a St. Louis investment adviser for failing to implement cyber policies and procedures in advance of a breach of personally identifiable information ("PII") involving approximately 100,000 individuals. Again this year, the SEC took action where there was a breach related to PII.

Finally, in June 2016, the SEC proposed a rule requiring investment advisers to adopt business continuity and transition plans to address significant disruption in the adviser’s operations as a result of cyber breaches and other causes. In addition to the proposed rule, SEC staff issued related guidance addressing business continuity planning for registered investment companies, including the oversight of the operational capabilities of key fund service providers.

Where are we with respect to cybersecurity, and what have we done to address those concerns?

In a recent survey of CCOs conducted by DLA Piper (DLA Piper's 2016 Compliance & Risk Report: CCOs Under Scrutiny), the biggest risks facing firms today that were identified were data breach and cybersecurity.

Hopefully in response to these concerns, CCOs and investment advisers have taken note of the cybersecurity regulatory developments and increased scrutiny over the past few years and have implemented strong information technology and cybersecurity policies and procedures. The policies and procedures should, at a minimum, address active risk assessments conducted by the firm's IT, compliance staff or a consultant to understand the firm's susceptibility to cyber threats.  Additionally, procedures related to data loss prevention, access rights, vendor management and ongoing training are essential to a strong cybersecurity program.  All of these elements should be detailed in a dedicated cybersecurity policy with procedures that are regularly reviewed, tested and refined. Moreover, firms should have cybersecurity committees in place that oversee risk assessments and all cybersecurity processes.  Ideally, the committee would include diversified representation from IT, compliance, operations and executive management.  The current regulatory scrutiny of cybersecurity is clear.  Be sure that you firm is not falling short.

SEC3 is standing by to help regulated firms take stock of the cybersecurity regulatory landscape, assess the strength of their cybersecurity compliance program and make up-to-date recommendations to help enhance policies and procedures, as well as implementation and testing.

SEC Compliance Consultants, Inc. ("SEC3") is a recognized industry leader in providing independent regulatory compliance services to the investment management and securities industries.

Newsletter

Get the latest compliance news and insights - delivered weekly. The SEC3 Communique covers all compliance topics. CCO3 focuses on Mutual Fund CCO topics.
tip: check both to keep informed!

Communiques

SEC3 Newsletter

Commentary: How Compliance Officers & Firms Can Help Limit CCO Personal Liability This article originally appeared on the Thomson Reuters Regulatory Intelligence subscription service for compliance and risk professionals and is... read more »

Wishing One-and-All a Happy, Healthy and Prosperous New Year

We hope each of you found some peace and tranquility in the company of loved ones this holiday season and want to wish one-and-all a happy, healthy and prosperous New... read more »

Understanding How to Mitigate Liability and Navigate Insurance Options (Part II)

In June, we shared our thoughts around common insurance gaps and insurance riders that CCOs as well as managers should understand. One of the gaps we shared related to pre-claim... read more »

Cybersecurity - What have we learned and what have we done?

Regulatory Landscape In April 2015, the Securities and Exchange Commission ("SEC's") Division of Investment Management issued a guidance update, identifying cybersecurity as a critical issue. Several regulators are in fact focusing... read more »

Gatekeepers in SEC Crosshairs

Ever since the enforcement cases were announced as part of the SEC’s “Operation Broken Gate,” the SEC enforcement division has continued to ramp up scrutiny of gatekeepers including third-party service... read more »

Anna M. Bencrowsky, CRCP, CMFS Joins SEC3

We are pleased to announce that Anna M. Bencrowsky, CRCP, CMFS has joined SEC3 as a Senior Consultant. Prior to joining SEC3, Anna held several executive compliance positions. Anna recently retired... read more »

Events

Upcoming Events - September & October 2017

Upcoming Events Don’t miss the opportunity to meet with us in person to discuss the topics that matter most to you. SEC3 is teaming up with industry experts in NYC to discuss...

May 23, 2017 - Webcast: WannaCry Ransomware: Were You Really Protected or Just L…

When: Tuesday, May 23rd, 2017 | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder, BW Cyber Services John Lukan, Managing Director, SEC Compliance Consultants, Inc. We...

June 14, 2017 - Compliance Breakfast Briefing

8:30-9:00am - Networking and Continental Breakfast 9:00-10:30am - Program Location: Willkie Farr & Gallagher LLP | 600 Travis Street | Suite 2310 | Houston, TX Barry Barbash from Willkie Farr & Gallagher LLP,...

June 13, 2017 - Compliance Breakfast Briefing

8:30-9:00am - Networking and Continental Breakfast 9:00-10:30am - Program Location: Haynes and Boone, LLP | 2323 Victory Avenue | Suite 700 | Dallas, TX 75219 Validated parking is available in the garage attached...

May 31, 2017 - Chicago

9:00-9:30 a.m - Networking and Continental Breakfast 9:30-11:00 a.m - Program Location: Baker & McKenzie LLP | 300 East Randolph Drive | Suite 5000 | Chicago, IL 60601 Kristin Gonzalez and Jerome Tomas...

May 17, 2017 (NYC WIMF)

This event is by invitation only. Please email info@seccc.com to learn more.

May 15, 2017 (NYC Chief Compliance Officer Roundtable)

9:00-9:30am - Networking and Continental Breakfast 9:30-11:00am - Program Location: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone:...

Webcast: The Most Insidious Cybersecurity Threat Is Also The Least Understood

When: Tuesday, April 25th | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder, BW Cyber Services John Lukan, Managing Director, SEC Compliance Consultants, Inc. Ransomware, the...

CCO Liability (Part III): Managing Liability Webinar

In this webinar, panelists discuss indemnifications and insurance as potential remedies to address the direct financial risks to a CCO. Attendees will learn: What terms and conditions should Chief Compliance Officers be...

Webinar: CCO Liability (Part III): Managing Liability: Navigating Indemnities an…

When: Tuesday, February 21, 2017 Schedule: 11:00am ET / 10:00am CT / 9:00am MT / 8:00am PT / 7:00am AT Description of Webinar: The National Society of Compliance Professionals is pleased to host...

Webcast: SEC 2017 Examination Focus Area – Cybersecurity Testing

Penetration Testing & Vulnerability Assessments - Examining the SEC & FINRA Requirements When: Wednesday, January 25th | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder,...

Chief Compliance Officer Roundtable: Breakfast Briefing

When: October 20, 2016 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone: 212.885.5000 Thomas Westle and Janaya...

Practicing Law Institute - Hedge Fund Management 2016

When: September 15, 2016 Where: New York & concurrent webcast | 1177 Avenue of the Americas | New York, NY 10036 Schedule: 9:00 am – 5:00 pm Janaya Moscony, President of SEC3 will...

CHIEF COMPLIANCE OFFICER ROUNDTABLE: BREAKFAST BRIEFING

When: April 13, 2016 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 22nd Floor Boardroom Thomas Westle and Janaya Moscony, along with industry experts,...

COMPLIANCE SCIENCE SUMMIT 2015

When: November 17, 2015 Where: Convene Midtown East | 730 Third Avenue | New York, NY 10017 Janaya Moscony, President, SEC Compliance Consultants, Inc. will be moderating a...