The SEC Office of Compliance Inspections and Examinations (“OCIE”) has put registered investment advisors on notice: Compliance with privacy and data safeguards requires follow-through in both word and deed. Risk alerts related to cybersecurity issues were released in April and May, and both were prompted by findings that developed during exams of SEC-registered advisors related to Regulation S-P, “Privacy of Consumer Financial Information.”
The April 2019 risk alert focused on compliance shortcomings in two primary areas:
- the timely provision of privacy and opt-out notices to customers and
- written data safeguarding policies and procedures.
In the latter case, the OCIE particularly noted that safeguarding policies either were lacking in part or in whole, or were not implemented or reasonably designed to be effective. In other words, advisors might talk the talk, but weren’t walking the walk.
The May 2019 risk alert brings a heightened level of awareness to the risks associated with the use of network storage solutions, including those that are located in the cloud. The use of these technologies and solutions within registered broker-dealers and investment advisors is very common and often part of a solid IT business continuity and disaster recovery plan. Once again, insufficient policies and procedures were an issue, as well as a disconnect between a firm’s own cybersecurity standards and those in actual practice at vendor-provided solutions.
This risk alert is unique, however, in that it specifically identifies the importance of managing configurations and the use of various features within these solutions, as opposed to going with default security configurations. Firms should especially take note that up until now, OCIE has not provided such direct guidance at this level of depth and specificity for a targeted area of cybersecurity risk management.
The OCIE communications come on the heels of the SEC’s first enforcement action last fall against a firm with deficient cybersecurity procedures. These recent risk alerts bear out what my colleagues Alan Brill and Ken Joseph noted at the time about the SEC’s expectations: that companies should “not only have in place commercially reasonable standards, policies and procedures for cybersecurity, but to implement them along with compliance and audit procedures to assure that they are working as intended.”
Policies and Procedures Should Drive Secure Data Handling
OCIE staff highlighted in these alerts, as they have in prior cyber-focused alerts, the importance of having written policies and procedures that drive specific actions around privacy and data protection. Far from being a “check the box” activity, creating meaningful policies and procedures should reflect a firm’s understanding and commitment to data security. In fact, OCIE took specific issue with policies that did not appear to be implemented or designed to “protect against anticipated security-related threats or hazards” in the course of day-to-day activities. When looking at where OCIE’s latest exams found issues, how would your firm stack up today in these areas:
- Personal device use
- Electronic communications
- Training and monitoring
- Unsecure networks
- Unsecure physical locations
- Outside vendors (including storage solutions)
- PII inventory
- Incident response plans
- Login credentials
- Departed employees
- Misconfigured network storage solutions
- Data classification and related controls
Cybersecurity Compliance Foundation – Proactive Approach and Ongoing Monitoring
In both risk alerts, OCIE emphasized not only where firms had neglected to establish pragmatic cybersecurity controls, but was also critical of firms that failed to ensure their existing policies and standards were being implemented effectively by employees and third parties alike.
Terms such as “misconfigured”, “inadequate” and “insufficient” pepper the alerts. However, they do provide firms with a lens through which they can measure their own cybersecurity efforts. The May alert particularly highlights the importance of establishing security configuration baselines, configuration management, and the processes involved in ensuring that these steps are followed, not only internally, but with partners and vendors.
Kroll recommends that broker-dealers and advisors take a second look today at both their cybersecurity policies and actual practices in light of these new risk alerts. The following best practices can form the framework for your inquiries:
- The tone should be set from the top – i.e., c-suite executives and the board – that cybersecurity is an enterprise-wide priority and not an afterthought or check-the-box activity.
- Develop policies that ensure appropriate controls are in place that not only meet regulatory expectations, but also take into account how employees and vendors work with customer data on a daily basis.
- Clearly articulate your standards and expectations to employees and contractually obligate all vendors to agree to maintain the same.
- Train employees on proper data handling and give them tools that support your policies (e.g., provide company-approved devices, locking desks/cabinets for laptops, etc.).
- Review and, if necessary, update existing policies and procedures to make sure that appropriate actions are being taken to assess, update, and monitor software and vendor configurations.
- Review and ensure that there are named individuals who are responsible for monitoring and updating vendor security requirements with the vendors directly and internally.
- Conduct regular risk assessments and test if your security measures work as intended as conditions might change.
- Review and validate configurations for network storage solutions and cloud storage solutions. Consider using a trusted standard for review such as the Center for Internet Security® (CIS®) Security Controls or the Cloud Security Alliance® Cloud Controls Matrix.
- Reference or create a data map of where critical and sensitive data resides within the organization. Include service providers and vendors where applicable.
Maintaining Compliance as Cyber Risk Continually Evolves
As data breaches continue to occur, Kroll believes that OCIE will provide more specific guidance and recommendations with respect to their expectations for advisor cybersecurity programs. OCIE expects broker-dealers and advisors to not only address the challenges of current cyber risks, but also to have an awareness that risks are continually evolving.
Firms must be positioned to mitigate cyber risks as they develop, and enlisting the help of experts such as Kroll’s Cyber Risk specialists can take this complex burden off of your internal staff. We work every day with clients in highly regulated industries, including broker-dealers, and understand your cyber risk challenges well. To learn how our end-to-end services can help your firm meet current and evolving OCIE cybersecurity expectations, contact a Kroll Cyber Risk expert today.