New areas of focus among the U.S. regulator's annual examination priorities
Friday, February 15, 2019
By Askari Foy
Cybersecurity continues to be a primary focus area for the U.S. Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE), as indicated in their 2019 examination priorities. It's no surprise given the growing cybersecurity threats facing investment advisers and the consequences a cyber-attack can have on firms.
The SEC announced two new cyber focus areas in the 2019 examination priorities - here's what your firm needs to know, and what you can do to prepare:
Multiple Branch Offices - Your firm's cybersecurity policies and procedures should define cybersecurity controls for branch offices. This includes adopting branch-level policies and procedures and describing the cybersecurity oversight over branch offices. In addition to maintaining effective cybersecurity controls and protecting client information, your firm needs to evaluate the security measures at the branch offices to ensure the data and assets are inventoried and protected and standards are consistent with the home office.
Investment Adviser Mergers/Acquisitions - Your firm should be ready to demonstrate the due diligence process before and after a merger or acquisition transaction. This includes understanding the cybersecurity risk and vulnerabilities posed by the transaction, network and system architecture and data flow, inventory of the cybersecurity products and technologies, third-party relationships, and written security program that meets current regulatory and industry standards. Your firm should also demonstrate how it is managing the new entity through changes to processes, resources, technology and governance that can impact the availability or confidentiality of data and assets, assessing vulnerabilities that arise during system implementation, and demonstrating effective governance throughout the integration process.
Other Focus Areas
In addition to these new areas, governance, access rights and controls, data loss prevention, vendor management, incident response, and training continue to be key focus areas for 2019. Below is what you can do to prepare:
Governance - Your firm should address the SEC's cyber focus areas as part of your written cybersecurity policies and procedures. This includes demonstrating how cybersecurity threats are identified, managed, documented, and reported; how cybersecurity roles and accountability are assigned; and how your firm's leadership implements cybersecurity governance.
Access Rights and Controls - To prevent unauthorized access of network resources and devices, the SEC expects your firm to implement security tools that restrict user access according to job function, as well as conduct access reviews for employees and vendors.
Data Loss Prevention - Your firm should implement security measures designed to combat the loss of sensitive enterprise data such as non-public personally identifiable information and shareholder data. These security measures should strengthen your firm's ability to identify, monitor, and protect data at rest, in use, and in motion.
Vendor Management - Vendors are entrusted with sensitive data, and the SEC expects firms to perform due diligence on third parties, consider contract requirements, determine vendor risk ranking criteria, and conduct ongoing oversight. Also of note, the European Union General Data Protection Regulation (GDPR) requires firms to undertake a holistic risk assessment to fully consider the key risk areas relating to the processing of personal data. In addition, your firm should review and update your existing privacy and information security policies and procedures for alignment with your firm's GDPR requirements.
Incident Response - Your firm must have an incident response plan in place to address potential cybersecurity incidents. This includes timely detection of the incident, properly disclosing information, and taking appropriate corrective actions.
Training - Periodic cybersecurity awareness training is mandatory for all employees and contractors. Advisers must maintain evidence of the training performed, topics covered, and list of employees that participated.
Askari Foy is managing director of ACA Aponix. Before joining the ACA Compliance Group unit, he worked for more than 13 years with the Securities and Exchange Commission, most recently as associate director and head of the National Technology Controls Program within the Office of Compliance Inspections and Examinations.