On September 15, 2015, the Office of Compliance Inspections and Examinations (“OCIE”) issued a new Risk Alert relating to cybersecurity. This Risk Alert reemphasized the intention of the Commission to conduct a second phase of cybersecurity examinations of Investment Adviser firms showing the Commission is keeping the promises made in the 2015 Examination Priorities released in January 2015.
This release comes on the heels of several previous events and Risk Alerts highlighting the growing necessity of cybersecurity policies and procedures. During a Roundtable held in March 2014, the SEC staff underscored the importance of cybersecurity threat prevention, detection and remediation. In addition, there was a risk alert released in April 2014 announcing the initial examination sweep. In February 2015, there was a subsequent summary of findings based on the first batch of examinations. The first round of these cybersecurity examinations was based on a request list that the SEC circulated to 100 broker-dealers and investment advisers who were asked to respond to a series of questions regarding their practices and controls.
The SEC Investment Management Division followed with guidance in April 2015 recommending that advisors and funds follow a three-step approach: conduct periodic assessments, have a cybersecurity strategy and employ an incident response plan as well as written policies and procedures to mitigate cyberattacks. The SEC also explained in its guidance the legal basis for liability in the event of disruption of operations or data loss due to a cyber attack.
OCIE has issued the present Risk Alert to provide additional information on the areas of focus for OCIE’s second round of cybersecurity examinations, which will involve more testing to assess implementation of firm procedures and controls. More extensive testing most likely means that the SEC will conduct onsite visits during this second round of exams. This would be in line with what the SEC announced to the press earlier this spring. The first round of SEC reviews were entirely conducted offsite.
In this Risk Alert, the SEC notes that “in light of recent cybersecurity breaches and continuing cybersecurity threats against financial services firms, the Cybersecurity Examination Initiative is designed to build on OCIE’s previous examinations in this area and further assess cybersecurity preparedness in the securities industry, including firms’ ability to protect broker-dealer customer and investment adviser client information… As a result, examiners will gather information on cybersecurity-related controls and will also test to assess implementation of certain firm controls.” Investment Advisers should take a fresh look at their current policies and procedures relating to cybersecurity and work to enhance them in order to address the areas of concern the Commission has outlined below as areas of focus of the upcoming examination initiative.
- Governance and Risk Assessment: Examiners may assess whether registrants have cybersecurity governance and risk assessment, as well as whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business, including involvement of senior management and boards of directors.
- Access Rights and Controls: Examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.
- Data Loss Prevention: Some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration. Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners also may assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.
- Vendor Management: Due to hacking of third-party vendor platforms, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms.
- Training: Examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior, as well as review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
- Incident Response: Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events.
While these are the primary areas of focus of the SEC during this new wave of examinations, advisers are well advised to be prepared for Staff to make additional requests and select additional areas based on risks identified during the course of the examination.
SEC3 can assist your firm in creating, implementing and maintaining your cybersecurity policies and procedures. For further information, please contact your SEC3 representative or contact us at firstname.lastname@example.org.