newyork1.jpg

New Cybersecurity Risk Alert Announcing Second Round of Cybersecurity Sweep Exams

On September 15, 2015, the Office of Compliance Inspections and Examinations ("OCIE") issued a new Risk Alert relating to cybersecurity. This Risk Alert reemphasized the intention of the Commission to conduct a second phase of cybersecurity examinations of Investment Adviser firms showing the Commission is keeping the promises made in the 2015 Examination Priorities released in January 2015.

This release comes on the heels of several previous events and Risk Alerts highlighting the growing necessity of cybersecurity policies and procedures. During a Roundtable held in March 2014, the SEC staff underscored the importance of cybersecurity threat prevention, detection and remediation. In addition, there was a risk alert released in April 2014 announcing the initial examination sweep. In February 2015, there was a subsequent summary of findings  based on the first batch of examinations.  The first round of these cybersecurity examinations was based on a request list that the SEC circulated to 100 broker-dealers and investment advisers who were asked to respond to a series of questions regarding their practices and controls.

The SEC Investment Management Division followed with guidance in April 2015 recommending that advisors and funds follow a three-step approach:  conduct periodic assessments, have a cybersecurity strategy and employ an incident response plan as well as written policies and procedures to mitigate cyberattacks. The SEC also explained in its guidance the legal basis for liability in the event of disruption of operations or data loss due to a cyber attack.

OCIE has issued the present Risk Alert to provide additional information on the areas of focus for OCIE's second round of cybersecurity examinations, which will involve more testing to assess implementation of firm procedures and controls. More extensive testing most likely means that the SEC will conduct onsite visits during this second round of exams.  This would be in line with what the SEC announced to the press earlier this spring.  The first round of SEC reviews were entirely conducted offsite.

In this Risk Alert, the SEC notes that "in light of recent cybersecurity breaches and continuing cybersecurity threats against financial services firms, the Cybersecurity Examination Initiative is designed to build on OCIE's previous examinations in this area and further assess cybersecurity preparedness in the securities industry, including firms' ability to protect broker-dealer customer and investment adviser client information… As a result, examiners will gather information on cybersecurity-related controls and will also test to assess implementation of certain firm controls." Investment Advisers should take a fresh look at their current policies and procedures relating to cybersecurity and work to enhance them in order to address the areas of concern the Commission has outlined below as areas of focus of the upcoming examination initiative.

  • Governance and Risk Assessment: Examiners may assess whether registrants have cybersecurity governance and risk assessment, as well as whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business, including involvement of senior management and boards of directors.
  • Access Rights and Controls: Examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.
  • Data Loss Prevention: Some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration. Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners also may assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.
  • Vendor Management: Due to hacking of third-party vendor platforms, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms.
  • Training: Examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior, as well as review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
  • Incident Response: Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events.

While these are the primary areas of focus of the SEC during this new wave of examinations, advisers are well advised to be prepared for Staff to make additional requests and select additional areas based on risks identified during the course of the examination.

SEC3 can assist your firm in creating, implementing and maintaining your cybersecurity policies and procedures. For further information, please contact your SEC3 representative or contact us at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

Newsletter

Get the latest compliance news and insights - delivered weekly. The SEC3 Communique covers all compliance topics. CCO3 focuses on CCO topics.
tip: check both to keep informed!

Communiques

SEC Adopts Fund Liquidity Reporting and Disclosure Changes

The final week of June was a busy one for SEC releases following the SEC’s June 28th open meeting. Among these was a revisit of Rule 22e-4 under the Investment... read more »

More SEC Settlements - This Time Form PF Filing Deficiencies

On June 1st, the SEC announced settlements with 13 RIAs who repeatedly failed to file Form PF reports. Most of these firms never filed over the review period (2012 through... read more »

Two Recent Enforcement Actions Against Private Fund Advisers

The industry should not misinterpret the SEC’s 2018 National Exam Program Priorities as a shift away from private fund advisers. As discussed during the SEC’s recent National Compliance Outreach Seminar... read more »

2018 - Are you ready for your next SEC exam?

The pool of registered investment advisers that will be subject to an SEC exam in 2018 is at the highest level seen in years. The SEC projects it will examine... read more »

Navigating the Changes to Form ADV

On August 25, 2016, the U.S. Securities and Exchange Commission adopted numerous substantive and technical amendments to Form ADV. While the adopting release required advisers to begin complying with the... read more »

Overlooked Benefits of E&O/D&O

While asset managers should always be aware of the protections provided by their E&O/ D&O coverage, there are more reasons than ever to think about it now. The SEC continues to... read more »

Events

Chief Compliance Officer Roundtable: Breakfast Briefing - June 14, 2018

When: June 14, 2018 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone: 212.885.5000 Schedule: 9:00-9:30am - Networking...

Webinar: 2018 SEC Exam Priorities & Recent Exam Highlights

Don’t miss the opportunity to meet with us in person to discuss the topics that matter most to you. Tobin S. Cochran, Managing Member/President of Focus 1 Associates, LLC and...

Chief Compliance Officer Roundtable: Breakfast Briefing - February 7, 2018

When: February 7, 2018 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone: 212.885.5000 Schedule: 9:00-9:30am - Networking...

Upcoming Events - September & October 2017

Upcoming Events Don’t miss the opportunity to meet with us in person to discuss the topics that matter most to you. SEC3 is teaming up with industry experts in NYC to discuss...

May 23, 2017 - Webcast: WannaCry Ransomware: Were You Really Protected or Just L…

When: Tuesday, May 23rd, 2017 | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder, BW Cyber Services John Lukan, Managing Director, SEC Compliance Consultants, Inc. We...

June 14, 2017 - Compliance Breakfast Briefing

8:30-9:00am - Networking and Continental Breakfast 9:00-10:30am - Program Location: Willkie Farr & Gallagher LLP | 600 Travis Street | Suite 2310 | Houston, TX Barry Barbash from Willkie Farr & Gallagher LLP,...

June 13, 2017 - Compliance Breakfast Briefing

8:30-9:00am - Networking and Continental Breakfast 9:00-10:30am - Program Location: Haynes and Boone, LLP | 2323 Victory Avenue | Suite 700 | Dallas, TX 75219 Validated parking is available in the garage attached...

May 31, 2017 - Chicago

9:00-9:30 a.m - Networking and Continental Breakfast 9:30-11:00 a.m - Program Location: Baker & McKenzie LLP | 300 East Randolph Drive | Suite 5000 | Chicago, IL 60601 Kristin Gonzalez and Jerome Tomas...

May 17, 2017 (NYC WIMF)

This event is by invitation only. Please email info@seccc.com to learn more.

May 15, 2017 (NYC Chief Compliance Officer Roundtable)

9:00-9:30am - Networking and Continental Breakfast 9:30-11:00am - Program Location: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone:...

Webcast: The Most Insidious Cybersecurity Threat Is Also The Least Understood

When: Tuesday, April 25th | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder, BW Cyber Services John Lukan, Managing Director, SEC Compliance Consultants, Inc. Ransomware, the...

CCO Liability (Part III): Managing Liability Webinar

In this webinar, panelists discuss indemnifications and insurance as potential remedies to address the direct financial risks to a CCO. Attendees will learn: What terms and conditions should Chief Compliance Officers be...

Webinar: CCO Liability (Part III): Managing Liability: Navigating Indemnities an…

When: Tuesday, February 21, 2017 Schedule: 11:00am ET / 10:00am CT / 9:00am MT / 8:00am PT / 7:00am AT Description of Webinar: The National Society of Compliance Professionals is pleased to host...

Webcast: SEC 2017 Examination Focus Area – Cybersecurity Testing

Penetration Testing & Vulnerability Assessments - Examining the SEC & FINRA Requirements When: Wednesday, January 25th | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder,...

Chief Compliance Officer Roundtable: Breakfast Briefing

When: October 20, 2016 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone: 212.885.5000 Thomas Westle and Janaya...