Cybersecurity continues to be a primary focus area for the U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE), as indicated in their 2019 examination priorities. It’s no surprise given the growing cybersecurity threats facing investment advisers and the consequences a cyber-attack can have on firms.
New cyber focus areas for 2019
The SEC announced two new cyber focus areas for their 2019 examination priorities — here’s what your firm needs to know, and what you can do to prepare:
- Multiple Branch Offices – Your firm’s cybersecurity policies and procedures should define cybersecurity controls for branch offices. This includes adopting branch-level policies and procedures and describing the cybersecurity oversight over branch offices. In addition to maintaining effective cybersecurity controls and protecting client information, your firm needs to evaluate the security measures at the branch offices to ensure the data and assets are inventoried and protected and standards are consistent with the home office.
- Investment Adviser Mergers/Acquisitions – Your firm should be ready to demonstrate the due diligence process before and after a merger or acquisition transaction. This includes understanding the cybersecurity risk and vulnerabilities posed by the transaction, network and system architecture and data flow, inventory of the cybersecurity products and technologies, third-party relationships, and written security program that meets current regulatory and industry standards. Your firm should also demonstrate how it is managing the new entity through changes to processes, resources, technology and governance that can impact the availability or confidentiality of data and assets, assessing vulnerabilities that arise during system implementation, and demonstrating effective governance throughout the integration process.
Other cyber focus areas to prepare for
In addition to these new focus areas, governance, access rights and controls, data loss prevention, vendor management, incident response, and training continue to be key focus areas for 2019. Below is what you can do to prepare:
- Governance – Your firm should address the SEC’s cyber focus areas as part of your written cybersecurity policies and procedures. This includes demonstrating how cybersecurity threats are identified, managed, documented, and reported; how cybersecurity roles and accountability are assigned; and how your firm’s leadership implements cybersecurity governance.
- Access Rights and Controls – To prevent unauthorized access of network resources and devices, the SEC expects your firm to implement security tools that restrict user access according to job function, as well as conduct access reviews for employees and vendors.
- Data Loss Prevention – Your firm should implement security measures designed to combat the loss of sensitive enterprise data such as non-public personally identifiable information and shareholder data. These security measures should strengthen your firm’s ability to identify, monitor, and protect data at rest, in use, and in motion.
- Vendor Management – Vendors are entrusted with sensitive data, and the SEC expects firms to perform due diligence on third parties, consider contract requirements, determine vendor risk ranking criteria, and conduct ongoing oversight. – GDPR requires firms to undertake a holistic risk assessment across your organization to fully consider the key risk areas relating to the processing of personal data. In addition, your firm should review and update your existing privacy and information security policies and procedures for alignment with your firm’s GDPR requirements.
- Incident Response – Your firm must have an incident response plan in place to address potential cybersecurity incidents. This includes timely detection of the incident, properly disclosing information, and taking appropriate corrective actions.
- Training – Periodic cybersecurity awareness training is mandatory for all employees and contractors. Advisers must maintain evidence of the training performed, topics covered, and list of employees that participated.
Regulatory Cyber Resources
The following ACA resources are available to help your firm navigate the complexities of SEC examinations:
- Webcast: SEC Examination Priorities and Focus Areas for 2019
- Alert: SEC Announces 2019 Examination Priorities
How ACA Aponix Can Help
ACA Aponix can help your firm meet your regulatory cyber obligations and prepare for an SEC cyber examination. Our regulatory cybersecurity services include:
- Cybersecurity and Technology Risk Assessments
- Mock Regulatory Cybersecurity Exams
- M&A Diligence and Advisory Services
- Policies, Procedures, and Governance
About the Author
Askari Foy is a Managing Director overseeing ACA Aponix's Global Regulatory Cybersecurity Practice. He recently joined ACA after serving for over 13 years with the U.S. Securities and Exchange Commission (“SEC”), where he was most recently Associate Director and Head of the National Technology Controls Program (“TCP”) with the SEC’s Office of Compliance Inspections and Examinations (“OCIE”). TCP conducts cybersecurity examinations of registered investment advisers, broker-dealers, national securities exchanges, clearing agencies, automated trading systems, and self-regulatory organizations to ensure compliance with federal securities laws. As head of the TCP, Askari developed and implemented cybersecurity risk-based examination and surveillance strategies that promoted the importance of cybersecurity and IT Governance structure among SEC registrants. Askari was also a contributor to the implementation of Regulation SCI, which focuses on critical market infrastructure and is used as a guideline for investment adviser and broker-dealer examinations.