Wed, Jun 26, 2019
The SEC Office of Compliance Inspections and Examinations (“OCIE”) has put registered investment advisors on notice: Compliance with privacy and data safeguards requires follow-through in both word and deed. Risk alerts related to cybersecurity issues were released in April and May, and both were prompted by findings that developed during exams of SEC-registered advisors related to Regulation S-P, “Privacy of Consumer Financial Information.”
The April 2019 risk alert focused on compliance shortcomings in two primary areas:
In the latter case, the OCIE particularly noted that safeguarding policies either were lacking in part or in whole, or were not implemented or reasonably designed to be effective. In other words, advisors might talk the talk, but weren’t walking the walk.
The May 2019 risk alert brings a heightened level of awareness to the risks associated with the use of network storage solutions, including those that are located in the cloud. The use of these technologies and solutions within registered broker-dealers and investment advisors is very common and often part of a solid IT business continuity and disaster recovery plan. Once again, insufficient policies and procedures were an issue, as well as a disconnect between a firm’s own cybersecurity standards and those in actual practice at vendor-provided solutions.
This risk alert is unique, however, in that it specifically identifies the importance of managing configurations and the use of various features within these solutions, as opposed to going with default security configurations. Firms should especially take note that up until now, OCIE has not provided such direct guidance at this level of depth and specificity for a targeted area of cybersecurity risk management.
The OCIE communications come on the heels of the SEC’s first enforcement action last fall against a firm with deficient cybersecurity procedures. These recent risk alerts bear out what my colleagues Alan Brill and Ken Joseph noted at the time about the SEC’s expectations: that companies should “not only have in place commercially reasonable standards, policies and procedures for cybersecurity, but to implement them along with compliance and audit procedures to assure that they are working as intended.”
OCIE staff highlighted in these alerts, as they have in prior cyber-focused alerts, the importance of having written policies and procedures that drive specific actions around privacy and data protection. Far from being a “check the box” activity, creating meaningful policies and procedures should reflect a firm’s understanding and commitment to data security. In fact, OCIE took specific issue with policies that did not appear to be implemented or designed to “protect against anticipated security-related threats or hazards” in the course of day-to-day activities. When looking at where OCIE’s latest exams found issues, how would your firm stack up today in these areas:
In both risk alerts, OCIE emphasized not only where firms had neglected to establish pragmatic cybersecurity controls, but was also critical of firms that failed to ensure their existing policies and standards were being implemented effectively by employees and third parties alike.
Terms such as “misconfigured”, “inadequate” and “insufficient” pepper the alerts. However, they do provide firms with a lens through which they can measure their own cybersecurity efforts. The May alert particularly highlights the importance of establishing security configuration baselines, configuration management, and the processes involved in ensuring that these steps are followed, not only internally, but with partners and vendors.
Kroll recommends that broker-dealers and advisors take a second look today at both their cybersecurity policies and actual practices in light of these new risk alerts. The following best practices can form the framework for your inquiries:
As data breaches continue to occur, Kroll believes that OCIE will provide more specific guidance and recommendations with respect to their expectations for advisor cybersecurity programs. OCIE expects broker-dealers and advisors to not only address the challenges of current cyber risks, but also to have an awareness that risks are continually evolving.
Firms must be positioned to mitigate cyber risks as they develop, and enlisting the help of experts such as Kroll’s Cyber Risk specialists can take this complex burden off of your internal staff. We work every day with clients in highly regulated industries, including broker-dealers, and understand your cyber risk challenges well. To learn how our end-to-end services can help your firm meet current and evolving OCIE cybersecurity expectations, contact a Kroll Cyber Risk expert today.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Ensure that your cyber security policy has the appropriate controls needed to keep your organization's information secure with a remediation plan in place in the event of an incident.
Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.