The Securities and Exchange Commission (SEC) has made increasing cybersecurity risk management a priority for registered investment advisers (RIAs) over the past several years. Earlier this year, the SEC proposed cybersecurity risk management rules, including new requirements for reporting, disclosures, and record keeping of cybersecurity incidents.  

Part of the proposal also addressed whether RIAs should have a dedicated chief information security officer (CISO) for active oversight of cybersecurity policies and procedures. 

In this article, we’ll discuss the role of a CISO in an RIA firm and explore the regulatory considerations for requiring a dedicated person in this position.  

CISO vs. CIO: What’s the difference? 

Most people are probably more familiar with the role of chief information officer (CIO). A CIO encompasses and oversees all the people, processes, and technologies within a company’s Information Technology (IT) organization. The CIO may help lead digital transformation initiatives by exploring how a business can use technology to improve speed, customer service and innovation, by empowering the business to harness data more effectively, and/or by helping to bring a business to the cloud.  

A CISO, on the other hand, focuses specifically on cybersecurity issues, including implementing training protocols, security software and new regulations. CISOs are responsible for developing procedures and policies designed to protect communications, systems, and assets from both internal and external threats.  

The CISO isn’t just charged with responding to data breaches or security problems as they occur, they will actively anticipate and manage potential threats as they emerge.  

While a CISO’s specific focus is on maintaining cybersecurity risk management, many tasks still fall under the role’s purview, including: 

1. Cybersecurity training 

   Protecting an RIA firm from cyber attacks begins with arming internal employees with the knowledge they need to recognize and respond to cybersecurity threats.  

   A substantial number of security breaches are the result of human error. No matter how knowledgeable your staff is in asset management or client service, they simply don’t know what they don’t know about cybersecurity. 

   A CISO will help manage employee cybersecurity training, beginning with vetting potential employees during the interview and hiring process for cybersecurity knowledge and their willingness to adhere to your firm’s regulations. 

   Cybersecurity training should also be built into the onboarding process. A CISO will keep all employees up to date about the potential of new or increased threats. 

2. Implementing a cybersecurity awareness program

   A CISO will also be responsible for putting programs in place to mitigate security risks and manage the fallout from potential incidents. Cybersecurity awareness programs include:  

   • Third-party vendor management: RIA firms are increasingly turning to best-in-class, third-party technology providers to replace spreadsheets and other manual processes. However, providing vendor access to your firm’s network or sensitive client data creates a serious security risk, as cyber criminals are known to use third–party entry points to gain access to the firm’s internal systems.   
   • Disaster recovery planning: If business interruptions occur, RIA firms need to have plans to securely recover books, records, client data, connection to custodians and databases, etc. A CISO will help define and implement these measures.
3. Maintaining compliance

Finally, a CISO is responsible for ensuring that RIA firms adhere to cybersecurity rules and regulations set forth by governing bodies, such as the SEC, including keeping firm policies up to date and promptly reporting and responding to cybersecurity incidents as they occur. 

Implementing the CISO role 

In the SEC’s proposal, the agency addressed the financial challenges for smaller firms to hire a highly qualified CISO, considering the salary requirements and high demand for this role.  

For smaller RIA firms, especially those in the early stages, the duties of a CISO would likely be performed by someone already in another similar role, such as the CIO. 

RIAs can also outsource the CISO function to a third party, which can be another viable way for smaller firms to access the highly specialized knowledge and insights necessary to protect themselves against complex, rapidly evolving cyber threats.  

At an RIA firm, a CISO can and should be instrumental in driving technology strategy to help your firm understand which technology solutions make sense to implement based on your firm’s goals and workflows, plus the larger regulatory landscape.  

Does your RIA firm need a CISO? 

At this time, the SEC has not mandated RIA firms to put this role in place. It’s most important your RIA firm and its staff understand what the cybersecurity risks facing your business could be, and have taken the necessary steps to mitigate them.