SEC focus areas include cloud risk, cyber/tech controls, among others
The U.S. Securities and Exchange Commission (SEC) has commenced a series of cybersecurity examinations on registered investment advisers (RIAs).
As evidenced by a flurry of information request letters this week, the SEC is targeting Form ADV data related to cloud service providers with 24 requests focused on vendor diligence and oversight. The SEC is focusing on how RIAs are identifying and monitoring risks to ensure systems, data, and non-public client information are secured at third parties and the cloud service providers they use.
It is evident that the SEC is intent on understanding cyber concerns not only at RIAs, but in RIAs’ technology architecture and partners.
The current SEC sweep includes an information request list that differs from previous lists, including the cyber sweep that commenced earlier this year. The SEC is requesting that RIAs provide the following key areas of information, among others:
- Vendor contracting and vendor due diligence reviews
- Policies and procedures as they align to technology standards (e.g., NIST, COBIT)
- Cloud service provider:
- Business and risk assessments
- Books and records exposure
- Data loss prevention
- Data encryption
- Identity and access management
- Comprehensive egress/ingress inventories (public domain and partners)
- Master Services Agreement (MSA), Operational Level Agreement (OLA), and Service Level Agreement (SLA) documentation for each service provider
ACA Aponix Guidance
No RIA, big or small, is exempt from the SEC’s focus on cybersecurity. Now is the time for firms to enrich their cyber compliance programs.
While very targeted, the current examination sweep does not exclude previous cyber focus areas. Governance, access controls, data loss prevention, vendor management, cyber training, and incident response are all still in focus; perhaps even more so considering these areas are in scope at an adviser’s connected partners. Private equity (PE) firms remain under additional scrutiny in how they oversee cyber concerns at their portfolio companies.
It is plausible that the SEC is using advanced analytics to determine vendor concentration risk across the RIA community and to understand how that is being addressed by individual RIAs. Not all Schedule D vendors were included in the request for diligence documentation: it was focused on providers that are likely servicing a significant number of RIAs.
Firms should ensure that they have documented initial and ongoing diligence on cloud providers in Section 1.L of Schedule D on Form ADV Part 1A.
ACA clients who have received this request should reach out to their ACA contact for guidance in responding to the SEC.
How ACA Aponix Can Help
ACA Aponix provides guidance to RIAs on their cyber compliance programs in order to help them comply with SEC requirements and protect their assets and investors. With former SEC regulators, CISOs, CIOs, CTOs, and other executive-level consultants on our team, we are well positioned to provide the following cyber solutions to RIAs:
- Risk assessments and testing services, including penetration testing and vulnerability assessments
- Mock regulatory cyber exams
- Governance, policies, and procedures development, including cyber incident response planning, WISP development assistance, and business continuity and disaster recovery planning
- Microsoft® Office 365® security assessments
- Vendor diligence and management
- M&A due diligence (pre- and post-deal)
- Privacy gap analysis (CCPA, GDPR, and others)
- Cyber education and awareness
- Threat intelligence
- Gap analysis against PCI, HITRUST, and other standards
Given the SEC's focus on vendor oversight, ACA’s vendor management services and Office 365 security assessments are particularly appropriate means of helping address how your firm would respond to a request similar to the ones just issued.
ACA Aponix Regulatory Cyber Resources
The following ACA resources are available to help your firm prepare for an SEC examination:
- Alert: SEC Updates Document Request List for Cybersecurity Examinations
- Blog: Preparing for SEC Cyber Compliance – What You Need to Know
- Webcast: SEC Examination Priorities and Focus Areas for 2019
- Alert: SEC Announces 2019 Examination Priorities
If you have any questions, please contact your ACA Aponix consultant or email us at email@example.com.