Last week, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released a new National Exam Program Risk Alert providing a summary of observations from recent OCIE examinations conducted during the Cybersecurity Examination Initiative announced on September, 15 2015. As part of the SEC’s “Cybersecurity 2 Initiative,” OCIE staff recently audited a total of 75 firms consisting of registered investment advisers, broker dealers, and investment companies. This latest SEC OCIE staff guidance also follows the previous February 3, 2015 release of observations from the first round of SEC cybersecurity examinations and guidance issued in September 2014 by the North American Securities Administrators Association (“NASAA”).
To summarize its most recent registered investment adviser (“RIA”) information security examination observations, SEC OCIE staff writes, “the staff observed increased cybersecurity preparedness since our 2014 Cybersecurity 1 Initiative. However, the staff also observed areas where compliance and oversight could be improved.” In particular, this latest round of examinations focused on these six cybersecurity areas:
- Governance and risk assessment
- Access rights and controls
- Data loss prevention
- Vendor management
- Training
- Incident response.
As a result of focusing on those six areas, SEC OCIE staff provided the following guidance in this latest risk alert:
Summary of Examination Observations
SEC OCIE staff notes “all broker-dealers, all funds, and nearly all advisers examined maintained cybersecurity-related written policies and procedures addressing the protection of customer/shareholder records and information. This contrasts with the staff’s observations in the Cybersecurity 1 Initiative, in which comparatively fewer broker-dealers and advisers had adopted this type of written policies and procedures.” Thus, overall the SEC OCIE staff acknowledges that investment firms are increasingly adopting written information security policies and procedures which should be the foundation of an RIA firm’s cybersecurity program. However, when reviewing the implementation of policies and procedures in detail, the staff made a number of observations for RIA firms to consider including:
- While many advisers conduct penetration tests and vulnerability scans on systems, some firms failed to “fully remediate some of the high risk observations that they discovered from these tests and scans.”
- Nearly all advisers established a policy which included the installation of software patches to address security vulnerabilities. Yet, it appeared some firms did not fully follow this policy as the staff observed “critical security updates that had not yet been installed.”
- While most firms had a policy in place to handle unauthorized access events, “less than two-thirds of advisers and funds” had plans in place to notify clients of data breach incidents.
Issues Observed
Although the examination results of this most recent cybersecurity examination sweep were generally more favorable than the previous sweep results, “the staff observed one or more issues in the vast majority of the Cybersecurity 2 Initiative examinations.” Given the issues observed, the SEC OCIE staff encourages RIA firms to be aware of the following potential compliance issues:
- Policies and procedures not reasonably tailored
- Firms did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices. Specific examples cited include:
- Annual client protection reviews were required, but conducted less frequently
- Ongoing reviews to determine if security protocols were appropriate were required, but such reviews were only conducted annually or not at all
- Conflicting and confusing instructions were provided to employees
- Cybersecurity awareness training was required, but it did not appear to take place for all employees
- In regards to issues related to Reg S-P, the SEC OCIE staff also observed the following:
- Stale risk assessments
- Lack of remediation efforts
Elements of Robust Policies and Procedures
The SEC OCIE staff recommended that RIA firms consider incorporating the following items in their cybersecurity-related policies and procedures:
- Maintenance of an inventory of data, information, and vendors
- Detailed cybersecurity-related instructions regarding penetration tests, security monitoring and system auditing, access rights, and reporting
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities
- Establish and enforce controls to access data and systems such as “acceptable use” policies, mobile device usage, third-party vendor logs, and termination of access for former employees
- Mandatory employee information security training
As RIA compliance consultants, we strongly recommend that the principals and Chief Compliance Officer of all investment advisory firms registered at the federal and state level review the contents of this latest SEC RIA compliance risk alert. When it comes to addressing information security risk, “engaged senior management” and frequent employee training should go hand in hand with tailored cybersecurity-related policies and procedures. With cybersecurity also being listed as of the top 2017 RIA exam priorities, advisory firms should prepare for increased information security-related scrutiny during routine audits.