RIA Cybersecurity

In February, 2015, the Office of Compliance Inspections and Examinations released a Risk Alert which summarized its cybersecurity examinations of over 100 advisers and broker-dealers. Following this, on April 28, the Securities and Exchange Commission (SEC) Division of Investment Management released the IM Guidance Update on the importance of cybersecurity; this publication lists some of the considerations that registered investment companies (funds) and registered investment advisers (RIAs) should review due to rapidly evolving cybersecurity risks.

Most importantly, in order to better prioritize and reduce risk, the Guidance Update suggests conducting regular assessments on:

(1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk. An effective assessment would assist in identifying potential cybersecurity threats and vulnerabilities so as to better prioritize and mitigate risk.
– From the IM Guidance Update, April 2015 | No. 2015 – 02

In addition, the Guidance Update also advises creating a strategy “to prevent, detect and respond to cybersecurity threats” and then to regularly test this strategy. The Update goes on to offer examples of strategies such as:

(1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening; (2) data encryption; (3) protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events; (4) data backup and retrieval; and (5) the development of an incident response plan. Routine testing of strategies could also enhance the effectiveness of any strategy.
– From the IM Guidance Update, April 2015 | No. 2015 – 02

Finally, the Update recommends that companies “Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures.” The Update goes on to state that “Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.”

The Update concludes with the recommendation to assess third-party service providers and agreements in relation to their cybersecurity exposure.

As anyone can read in the news today, cybersecurity and threats are a continuous and growing concern. While the Guidance Update is not intended to be comprehensive, RIAs and those in the financial services industry need to honor their obligations under the federal securities laws. A good practice is to utilize a security framework such as NIST or COBIT 5. Using a framework can help ensure that nothing is overlooked or missed in the development of a security plan that is  sensible, meets the needs of the company implementing it, and has proper authority. Developing a strategy that meets an individual company’s business model and practices and that includes creating policies and procedures, regular testing and monitoring, personnel training, and client education are all good steps to help aid in reducing the impact of cyber attacks as well as complying with federal securities laws.