anton4.jpg

New Cybersecurity Risk Alert Announcing Second Round of Cybersecurity Sweep Exams

On September 15, 2015, the Office of Compliance Inspections and Examinations ("OCIE") issued a new Risk Alert relating to cybersecurity. This Risk Alert reemphasized the intention of the Commission to conduct a second phase of cybersecurity examinations of Investment Adviser firms showing the Commission is keeping the promises made in the 2015 Examination Priorities released in January 2015.

This release comes on the heels of several previous events and Risk Alerts highlighting the growing necessity of cybersecurity policies and procedures. During a Roundtable held in March 2014, the SEC staff underscored the importance of cybersecurity threat prevention, detection and remediation. In addition, there was a risk alert released in April 2014 announcing the initial examination sweep. In February 2015, there was a subsequent summary of findings  based on the first batch of examinations.  The first round of these cybersecurity examinations was based on a request list that the SEC circulated to 100 broker-dealers and investment advisers who were asked to respond to a series of questions regarding their practices and controls.

The SEC Investment Management Division followed with guidance in April 2015 recommending that advisors and funds follow a three-step approach:  conduct periodic assessments, have a cybersecurity strategy and employ an incident response plan as well as written policies and procedures to mitigate cyberattacks. The SEC also explained in its guidance the legal basis for liability in the event of disruption of operations or data loss due to a cyber attack.

OCIE has issued the present Risk Alert to provide additional information on the areas of focus for OCIE's second round of cybersecurity examinations, which will involve more testing to assess implementation of firm procedures and controls. More extensive testing most likely means that the SEC will conduct onsite visits during this second round of exams.  This would be in line with what the SEC announced to the press earlier this spring.  The first round of SEC reviews were entirely conducted offsite.

In this Risk Alert, the SEC notes that "in light of recent cybersecurity breaches and continuing cybersecurity threats against financial services firms, the Cybersecurity Examination Initiative is designed to build on OCIE's previous examinations in this area and further assess cybersecurity preparedness in the securities industry, including firms' ability to protect broker-dealer customer and investment adviser client information… As a result, examiners will gather information on cybersecurity-related controls and will also test to assess implementation of certain firm controls." Investment Advisers should take a fresh look at their current policies and procedures relating to cybersecurity and work to enhance them in order to address the areas of concern the Commission has outlined below as areas of focus of the upcoming examination initiative.

  • Governance and Risk Assessment: Examiners may assess whether registrants have cybersecurity governance and risk assessment, as well as whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business, including involvement of senior management and boards of directors.
  • Access Rights and Controls: Examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.
  • Data Loss Prevention: Some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration. Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners also may assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.
  • Vendor Management: Due to hacking of third-party vendor platforms, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms.
  • Training: Examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior, as well as review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
  • Incident Response: Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events.

While these are the primary areas of focus of the SEC during this new wave of examinations, advisers are well advised to be prepared for Staff to make additional requests and select additional areas based on risks identified during the course of the examination.

SEC3 can assist your firm in creating, implementing and maintaining your cybersecurity policies and procedures. For further information, please contact your SEC3 representative or contact us at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

Newsletter

Get the latest compliance news and insights - delivered weekly. The SEC3 Communique covers all compliance topics. CCO3 focuses on Mutual Fund CCO topics.
tip: check both to keep informed!

Communiques

SEC3 Newsletter

Commentary: How Compliance Officers & Firms Can Help Limit CCO Personal Liability This article originally appeared on the Thomson Reuters Regulatory Intelligence subscription service for compliance and risk professionals and is... read more »

Wishing One-and-All a Happy, Healthy and Prosperous New Year

We hope each of you found some peace and tranquility in the company of loved ones this holiday season and want to wish one-and-all a happy, healthy and prosperous New... read more »

Understanding How to Mitigate Liability and Navigate Insurance Options (Part II)

In June, we shared our thoughts around common insurance gaps and insurance riders that CCOs as well as managers should understand. One of the gaps we shared related to pre-claim... read more »

Cybersecurity - What have we learned and what have we done?

Regulatory Landscape In April 2015, the Securities and Exchange Commission ("SEC's") Division of Investment Management issued a guidance update, identifying cybersecurity as a critical issue. Several regulators are in fact focusing... read more »

Gatekeepers in SEC Crosshairs

Ever since the enforcement cases were announced as part of the SEC’s “Operation Broken Gate,” the SEC enforcement division has continued to ramp up scrutiny of gatekeepers including third-party service... read more »

Anna M. Bencrowsky, CRCP, CMFS Joins SEC3

We are pleased to announce that Anna M. Bencrowsky, CRCP, CMFS has joined SEC3 as a Senior Consultant. Prior to joining SEC3, Anna held several executive compliance positions. Anna recently retired... read more »

Events

May 23, 2017 - Webcast: WannaCry Ransomware: Were You Really Protected or Just L…

When: Tuesday, May 23rd, 2017 | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder, BW Cyber Services John Lukan, Managing Director, SEC Compliance Consultants, Inc. We...

June 14, 2017 - Compliance Breakfast Briefing

8:30-9:00am - Networking and Continental Breakfast 9:00-10:30am - Program Location: Willkie Farr & Gallagher LLP | 600 Travis Street | Suite 2310 | Houston, TX Barry Barbash from Willkie Farr & Gallagher LLP,...

June 13, 2017 - Compliance Breakfast Briefing

8:30-9:00am - Networking and Continental Breakfast 9:00-10:30am - Program Location: Haynes and Boone, LLP | 2323 Victory Avenue | Suite 700 | Dallas, TX 75219 Validated parking is available in the garage attached...

May 31, 2017 - Chicago

9:00-9:30 a.m - Networking and Continental Breakfast 9:30-11:00 a.m - Program Location: Baker & McKenzie LLP | 300 East Randolph Drive | Suite 5000 | Chicago, IL 60601 Kristin Gonzalez and Jerome Tomas...

May 17, 2017 (NYC WIMF)

This event is by invitation only. Please email info@seccc.com to learn more.

May 15, 2017 (NYC Chief Compliance Officer Roundtable)

9:00-9:30am - Networking and Continental Breakfast 9:30-11:00am - Program Location: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone:...

Webcast: The Most Insidious Cybersecurity Threat Is Also The Least Understood

When: Tuesday, April 25th | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder, BW Cyber Services John Lukan, Managing Director, SEC Compliance Consultants, Inc. Ransomware, the...

CCO Liability (Part III): Managing Liability Webinar

In this webinar, panelists discuss indemnifications and insurance as potential remedies to address the direct financial risks to a CCO. Attendees will learn: What terms and conditions should Chief Compliance Officers be...

Webinar: CCO Liability (Part III): Managing Liability: Navigating Indemnities an…

When: Tuesday, February 21, 2017 Schedule: 11:00am ET / 10:00am CT / 9:00am MT / 8:00am PT / 7:00am AT Description of Webinar: The National Society of Compliance Professionals is pleased to host...

Webcast: SEC 2017 Examination Focus Area – Cybersecurity Testing

Penetration Testing & Vulnerability Assessments - Examining the SEC & FINRA Requirements When: Wednesday, January 25th | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder,...

Chief Compliance Officer Roundtable: Breakfast Briefing

When: October 20, 2016 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone: 212.885.5000 Thomas Westle and Janaya...

Practicing Law Institute - Hedge Fund Management 2016

When: September 15, 2016 Where: New York & concurrent webcast | 1177 Avenue of the Americas | New York, NY 10036 Schedule: 9:00 am – 5:00 pm Janaya Moscony, President of SEC3 will...

CHIEF COMPLIANCE OFFICER ROUNDTABLE: BREAKFAST BRIEFING

When: April 13, 2016 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 22nd Floor Boardroom Thomas Westle and Janaya Moscony, along with industry experts,...

COMPLIANCE SCIENCE SUMMIT 2015

When: November 17, 2015 Where: Convene Midtown East | 730 Third Avenue | New York, NY 10017 Janaya Moscony, President, SEC Compliance Consultants, Inc. will be moderating a...

CHIEF COMPLIANCE OFFICER ROUNDTABLE: BREAKFAST BRIEFING

When: October 13, 2015 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 22nd Floor Boardroom Thomas Westle and Janaya Moscony, along with...