Blog Article

RIA Cybersecurity: The SEC’s 7 Focus Areas

Feb 24, 2020

SEC focus areas are governance, access rights and controls, data loss prevention, mobile security, incident response, vendor management, and training.

On January 27th, 2020, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released: OCIE Cybersecurity and Resiliency Observations. This report identifies industry practices related to managing and combating cybersecurity risks and firms’ continuing ability to adapt when faced with cybersecurity threats. These observations are based on thousands examinations of broker-dealers, investment advisers, and other SEC registrants.

OCIE identified cybersecurity management practices in the areas of:  

1. Governance and risk management
2. Access rights and controls
3. Data loss prevention
4. Mobile security
5. Incident response and resiliency
6. Vendor management
7. Training and awareness
 
The areas highlighted by this latest SEC investment adviser cybersecurity report closely mirror the six information security focus areas which were originally highlighted by the SEC in September of 2015 and have continued to be regularly referenced in recent RIA examination priority lists. This latest list of information security focus areas includes some minor modifications to the original six focus areas which were:
  1. Governance and Risk Assessment
  2. Access Rights and Controls
  3. Data Loss Prevention
  4. Vendor Management
  5. Training
  6. Incident Response

The most notable change is the addition of the new mobile security category. 

Below we provide some additional detail on the latest areas of SEC cybersecurity focus:

1. Governance and risk management

OCIE notes that effective cybersecurity programs incorporate a governance and risk management program that includes: “(i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address those risks; and (iii) the effective implementation and enforcement of those policies and procedures.”

OCIE has observed risk management and governance measures such as:

  • Senior Level Engagement
  • Risk Assessment
  • Policies and Procedures
  • Testing and Monitoring
  • Continuously Evaluating and Adapting to Changes
  • Communication

2. Access rights and controls

Access rights and controls refer to allowing or limiting access to devices and systems only to those in the organization who are authorized to access data within those systems based on the users job responsibilities. According to OCIE, Access controls generally include: (i) understanding the location of data, including
client information, throughout an organization; (ii) restricting access to systems and data
to authorized users; and (iii) establishing appropriate controls to prevent and monitor for
unauthorized access.”

OCIE observed user access, access management, and access monitoring at organizations that have access rights and controls strategies. 

3. Data loss prevention

Data loss prevention refers to the sets of tools and processes used to prevent the misuse or unauthorized access of sensitive data or non-public information (“NPI”). Data loss prevention measures utilized by organizations include: 

  • Vulnerability Scanning
  • Perimeter Security
  • Detective Security
  • Patch Management
  • Inventory Hardware and Software
  • Encryption and Network Segmentation
  • Insider Threat Monitoring
  • Securing Legacy Systems and Equipment

4. Mobile security 

As mobile devices add additional layers of vulnerabilities, it is critical that proper security measures are put in place to mitigate the risk of cyber attacks via mobile devices and applications. At organizations using mobile devices and applications OCIE has observed the following security measures:

  • Policies and Procedures
  • Managing the Use of Mobile Devices
  • Implementing Security Measures
  • Training Employees

5. Incident response and resiliency

As stated by OCIE, “Incident response includes: (i) the timely detection and appropriate disclosure of material
information regarding incidents; and (ii) assessing the appropriateness of corrective actions
taken in response to incidents” OCIE notes that business continuity and resiliency are integral components of an effective incident response plan.

Incident response plans include:

  • Development of a Plan
  • Addressing Applicable Reporting Requirements
  • Assigning Staff to Execute Specific Areas of the Plan
  • Testing and Assessing the Plan

Strategies to address resiliency include:

  • Maintaining an Inventory of Core Business Operations and Systems
  • Assessing Risks and Prioritizing Business Operations 
  • Considering Additional Safeguards 

6. Vendor management

As firms increasingly rely on third-party vendors to manage business operations, vendor management is a critical area of focus within a firm’s cybersecurity program.  Policies and procedures related to vendor management should address due-diligence, overseeing vendors, ongoing risk assessment of vendors, and the vendors access and protection of sensitive information. 

The following vendor management practices were observed by OCIE:

  • Vendor Management Program
  • Understanding Vendor Relationships
  • Vendor Monitoring and Testing

7. Training and awareness

After creating policies and procedures around cybersecurity, its important that employees are aware of the cyber threats presented, their responsibilities within the cybersecurity program, and are equipped to respond to cybersecurity events. 

In the area of cybersecurity training and awareness, OCIE observed the following practices:

  • Policies and Procedures as a Training Guide
  • Including Examples and Exercises in Trainings 
  • Training Effectiveness

Overall, the three primary types of cybersecurity risk for investment advisers as supported by OCIE’s oberservations are people, technology, and vendors. It is important that firms focus on these primary areas when creating and implementing cybersecurity policies and procedures. The MyRIACompliance™ Cybersecurity Platform helps RIA firms address each of the above cybersecurity practice management areas by helping your firm create custom cybersecurity policies and procedures, control access rights, train and test staff, manage vendors, and respond to cybersecurity incidents.