SEC Warns Firm Leaders on Cybersecurity Policies

ARLINGTON, Va. -- As advisors continue to develop policies and procedures for protecting their systems and data from cyberattacks, they need to establish security as a firm-wide priority, a top SEC official warns.

That demands "an approach to security that is meaningful and that is more than just a check-the-box approach, which really requires a strong governance component," said David Glockner, director of the SEC's Chicago regional office.

Glockner addressed an audience at the Investment Adviser Association's annual compliance conference via telephone (his flight from Chicago was canceled due to inclement weather), and touted the importance of senior management at a firm establishing cybersecurity as a priority for all units of the business -- not just IT and compliance. "I think it is difficult to [maintain] an effective cybersecurity program without high-level engagement," Glockner said.

"I think it's very difficult to have an effective security program that is just in the IT world. Cybersecurity is an important risk, but it's one of a bunch of risks that an investment advisor faces, and in order to be sort of appropriately placed within the enterprise risk management matrix, firms really need to be thinking about it in the context of all their other risks, and that's difficult to do if you're just approaching it from an IT perspective."

WHAT THE SEC LOOKS FOR

Glockner's comments come as the SEC has been taking a closer look at registrants' cybersecurity policies. Earlier this year, the commission released the preliminary results of a series of sweep exams it had been conducting looking at that issue at both advisor and broker-dealer practices.

That review is ongoing, and the commission stopped short of offering prescriptive guidance, opting instead to release a set of data points examiners unearthed in their reviews, finding that less than a third of advisor firms have designated a chief information security officer to run point on their cybersecurity efforts, and slightly more than half conduct regular audits of their information security policies.

Glockner emphasized that the SEC is not looking to adopt or enforce stringent technical rules regarding advisors' cybersecurity practices, noting that the commission is primarily interested in ensuring that firms have a "reasonable" set of policies and procedures in place.

"Reasonable security procedures will look different for different registrants," Glockner said.

APPROPRIATE OR EFFECTIVE?

But even with that wide latitude the SEC is extending to firms as they shape their cybersecurity approach, experts stress that any effective policy must remain dynamic, incorporating a thorough and ongoing assessment of risks, employee training programs, and coordination with the third-party vendors the firm partners with, among other factors.

Gerald Stegmaier, a partner at the law firm Goodwin Procter, argues that advisors' security posture needs to adapt and evolve just like the nature of the cyberthreats they face. Put another way, advisors cannot view cybersecurity as a simple compliance exercise.

"Compliance tends to be very prescriptive -- do you have these things in place?" Stegmaier said.

"If the answer is yes, it doesn't necessarily go to the effectiveness of those controls, whether they're effective and whether they're appropriate for your pain points," he said. "The policy is only as good as its execution."

Kenneth Corbin is a Financial Planning contributing writer in Washington.

Read more:

For reprint and licensing requests for this article, click here.
Practice management Technology Compliance Law and regulation Financial planning RIAs
MORE FROM FINANCIAL PLANNING