Why choosing a cybersecurity auditor may be tougher than you think

With its 2017 list of examination priorities, the Securities and Exchange Commission left little doubt about its zeal for having advisory firms focus their attention on cybersecurity measures.

“We will continue our initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls,” the SEC said in the statement announcing its examination priorities.

But advisory firms, which want to conduct cybersecurity audits to pre-empt any future SEC troubles, must reckon with a reality: Cybersecurity auditing is a less than fully developed science.

“Because of the recent focus on cybersecurity from the SEC, this has become a hot topic. Since firms expect this to be included in their next SEC exam, it certainly makes sense to perform an internal audit prior to that,” says Brent Everett, founder, chief investment officer and partner at Talis Advisors in Plano, Texas.

But, “most traditional IT firms don’t understand the complex requirements of our industry and the few that do are focused on servicing large enterprises, not the typical small to medium-sized RIAs,” he says.

Until more options develop, advisory firms must choose among the “service providers that have sprung up to address this area of the market,” Everett says.

It is an imperfect situation.

“As the requirements are still rapidly evolving, there is still little standardization of the audit process, what is required and what is provided. This makes it quite difficult to compare services from different suppliers,” Everett says.

Caveat emptor rules apply.

“It’s also quite obvious that many of the suppliers are in the start-up phase and don’t have particularly robust documentation of their processes. It’s an immature industry, and pricing varies wildly; you don’t always get what you pay for,” Everett says.

“Unless you have someone on your staff that’s pretty IT-savvy, it can be quite difficult to choose whom you want to work with,” he says.

Stephen Scott, a CFP at Abacus Planning Group in Columbia, South Carolina, says that the SEC’s pronouncements increased his firm’s interest in cybersecurity auditing, and yet obvious options aren’t available.

“We are hearing the SEC is doing these audits. It is something we are very concerned about,” he says.

Abacus Planning Group used one vendor that ran a drill of systematically phishing employees.

“It was cheesy, but it was still pretty powerful,” Scott says. “They definitely could get to some stuff they shouldn’t be able to get.”

After the phishing drill, the same vendor conducted a training session for Abacas Planning Group.

As a result of the training, theoretically the employees who were once easily the victims of phishing are no longer so vulnerable, Scott says.

His firm has also established other policy and procedures for keeping out hackers and phishers.

“Make sure you are doing what your policies and procedures say you should be doing,” Scott says.

Until the SEC provides more guidance, such as a checklist for cybersecurity measures, “that’s all we can do,” he says.

This story is part of 30-30 series on how technology is changing your practice.

For reprint and licensing requests for this article, click here.
Cyber security Audit Audit standards Compliance SEC regulations SEC enforcement SEC 30 Days 30 Ways
MORE FROM FINANCIAL PLANNING