An RIA Firm’s Cybersecurity Compliance Program
Beginning in 2015, the U.S. Securities and Exchange Commission (“SEC”), via its Office of Compliance Inspections and Examinations (“OCIE”), has specifically listed cybersecurity as an annual examination priority for registered investment advisers (“RIAs”). In the most recent 2019 exam priority guidance, the OCIE staff noted: “Specific to investment advisers, SEC OCIE will… continue to focus on, among other areas, governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.” While these six areas of focus for information security were first enumerated in the SEC’s September 2015 risk alert, they have remained consistently in the spotlight since then.
How the MyRIACompliance Cybersecurity Platform Helps Address Regulatory Focus Areas
Below in italics is guidance provided by SEC staff as part of OCIE’s 2015 Cybersecurity Examination Initiative. These six topics are the foundation for your investment advisory firm’s cybersecurity program:
- Governance and Risk Assessment:
- SEC Guidance: Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below. Examiners also may assess whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business. Examiners also may review the level of communication to, and involvement of, senior management and boards of directors.
- How MyRIACompliance Addresses This Focus Area:
- The platform helps your firm create and customize cybersecurity policies and procedures to address cybersecurity risks specific to your firm. We also empower your firm’s leadership to more proactively communicate with your firm’s staff members, starting with automated security awareness training and education capabilities.
- Access Rights and Controls:
- SEC Guidance: Firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes. Examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.
- How MyRIACompliance Addresses This Focus Area:
- The platform helps you identify and regularly document not only who has access to your firm’s technology, but also what level of access each staff member has to those systems, including whether the technology houses any sensitive or non‑public personal client information. In addition, the platform also delivers training to your staff on the importance of proper password management and other best practices.
- Data Loss Prevention:
- SEC Guidance: Some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration. Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners also may assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.
- How MyRIACompliance Addresses This Focus Area:
- The platform helps your firm design cybersecurity policies and procedures to reduce the risk of an unauthorized transfer of client funds. This includes delivering training to your staff on the risks of client impersonation attempts and how they can lead to unauthorized disbursements or exposure of client information. In addition, the platform helps establish clear policies for personnel to make security update installation and patch management a consistent practice.
- Vendor Management:
- SEC Guidance: Some of the largest data breaches over the last few years may have resulted from the hacking of third party vendor platforms. As a result, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms. Examiners may assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.
- How MyRIACompliance Addresses This Focus Area:
- The platform’s proprietary vendor due diligence tools help your firm readily catalogue and perform proper due diligence on its third‑party vendors, with a particular focus on more sensitive vendor relationships that implicate non-public client information. All vendor due diligence records, along with relevant documentation, are automatically logged in your firm’s exportable compliance log.
- Training:
- SEC Guidance: Without proper training, employees and vendors may put a firm’s data at risk. Some data breaches may result from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured internet connection, or opening messages or downloading attachments from an unknown source. With proper training, however, employees and vendors can be the firm’s first line of defense, such as by alerting firm IT professionals to suspicious activity and understanding and following firm protocols with respect to technology. Examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior. Examiners also may review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
- How MyRIACompliance Addresses This Focus Area:
- The platform’s proprietary security awareness training content is created exclusively for RIA firms and delivered to your firm’s staff in an elegant, automated, and consistently documented manner. By delivering tailored training and testing to your personnel, we help empower your firm’s staff to become the first line of cybersecurity defense. The content also reinforces your firm’s culture of compliance, emphasizing prompt internal escalation of any suspicious activity to help mitigate the risks of a data breach or other cybersecurity incident.
- Incident Response:
- SEC Guidance: Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. This includes determining which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm.
- How MyRIACompliance Addresses This Focus Area:
- The platform is designed to help keep you and your firm’s staff updated on the latest cybersecurity regulatory developments, threats, and best practices for RIAs. Part of that is helping your firm fashion policies and procedures that help identify cybersecurity incidents and respond accordingly. By using MyRIACompliance to regularly update your firm’s current inventory of technology systems, the platform also helps to classify which firm systems pose the greatest risk to your firm.
Applying The NIST Cybersecurity Framework to RIA Firms
The MyRIACompliance cybersecurity platform builds upon the NIST cybersecurity framework to help your firm implement a robust cybersecurity compliance program. NIST is the acronym for the National Institute of Standards and Technology, a government agency within the U.S. Department of Commerce that fosters cybersecurity research, education, and collaboration. As part of that effort, NIST has developed a cybersecurity framework to help organizations of all sizes to identify, assess, and manage cybersecurity risks. Notably, the SEC not only utilizes the NIST framework to help manage its own cybersecurity program, but has also commonly referenced the approach when issuing information security guidance to investment advisers.
The framework focuses on five functions:
- Identify
- Protect
- Detect
- Respond
- Recover
While no system can fully protect your firm from an information security incident, the MyRIACompliance cybersecurity platform has been designed to efficiently construct, implement, and document a robust cybersecurity compliance program. Doing so not only helps your RIA firm meet its regulatory obligations, but also trains and educates your staff to help reduce the firm’s cybersecurity risks.
RIA in a Box LLC is not a law firms, investment advisory firms, or CPA firms.RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.