The SEC warned RIAs in January that examiners would be looking at cybersecurity preparedness when the Commission announced its examination priorities. The SEC also held a cybersecurity roundtable to analyze the vulnerability of regulated entities such as broker-dealers and RIAs.
In April, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a National Exam Program Risk Alert warning advisors of the regulator's intent to assess cybersecurity preparedness in the securities industry by conducting examinations of more than fifty RIAs and regional B-Ds.
SAMPLE DOCUMENT REQUEST
Accompanying the risk alert was a sample cybersecurity document request, which the OCIE may use in conducting examinations. The sample document request, which holds important lessons for advisors, indicates that RIAs may be required at some point to implement specific policies and procedures designed to prevent attacks. The request focuses on the following:
- Identification of risks and cybersecurity governance;
- Protection of networks and information;
- Risks arising from remote customer access and funds transfer requests;
- Risks related to vendors and other third parties; and
- Detection of unauthorized activity.
RIAs and B-Ds have been advised to use the sample document request to assess their own cybersecurity preparedness.
While examiners do not expect investment advisors to be IT experts, they do expect them to understand the cybersecurity risks facing their firms. Advisors cannot assume that their IT consultants have the situation under control. RIAs should be aware of all computers and devices connected to their network. They should possess an inventory of every application supported on their networks.
REMOTE ACCESS & FUND TRANSFERS
The sample document request demonstrates that the SEC is particularly concerned about the security of online accounts. If an RIA provides clients with online account access, the sample document request asks for:
- The name of any third party managing the service;
- An explanation of the functions that can be performed online, such as withdrawals or other external transfers of funds;
- How the client is authenticated for online account access and transactions;
- Any software or alternative methods used to detect unusual transaction requests;
- How clients’ PIN numbers are protected; and
- Any information provided to customers to reduce cybersecurity risks.
The document also seeks information regarding firms’ procedures for verifying e-mail requests to transfer funds, as well as their policies governing responsibility for losses from attacks or intrusions affecting clients.
PERIODIC RISK ASSESSMENT
The sample request asks whether the RIA conducts periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences and when the risk assessments took place, as well as the findings. The firm’s policies and procedures to identify who is in charge of cybersecurity and whether employees receive training regarding cyber threats are also under scrutiny.
The OCIE wants to know what firms are doing to counteract those threats, such as utilizing encryption software on smart phones used to communicate with clients.
Based on the sample document request, RIAs must do more than just protect their own networks against attacks. Examiners will seek information pertaining to the firm’s vendors and their access to the RIA’s system, which can open the door to cyber threats.
Firms must use due diligence to ensure that third-party service providers are fully protecting clients’ information. For example, when choosing a cloud provider, advisors should conduct due diligence of the vendor’s security rather than focusing on price alone.
Additionally, RIAs should be sure to evaluate their insurance coverage since the sample document request asks whether the RIA maintains a policy to cover losses and expenses attributable to cybersecurity incidents. Ideally, RIAs will have coverage for losses, mediation costs, and litigation expenses arising from data breaches.
The OCIE’s cybersecurity initiative has implications for all RIAs, not just those firms initially targeted for examination. RIAs should not wait for the OCIE to put cybersecurity rules in place and should implement policies and procedures designed to mitigate risks facing the firm.
Advisors will certainly benefit by urging clients to advise them immediately if they are the victims of identity theft, even if there is no apparent connection to the RIA. Advisory firms should adopt specific safeguards for those clients if their personal data has been compromised in any way.
At a minimum, RIAs should be able to demonstrate that they took action to protect against threats. Firms should have a documented process for regularly updating firewalls, anti-spam and anti-virus software. Patches, especially those intended to fix security vulnerabilities, must be applied in a timely fashion.
Les Abromovitz is an attorney and senior consultant with National Compliance Services and the author of The Investment Advisor’s Compliance Guide.