An inside look at the SEC’s cyber exam
Advisors may think they are well versed in cybersecurity. After all, the SEC has publicly detailed its key cybersecurity focus areas, like risk assessment, data loss prevention, vendor management and incident response. But do financial planners know how examiners evaluate firms to determine whether they pass the test? Probably not.
With an inside look at the regulator's questions, RIA owners can begin to institute and document the protocols needed to prepare and protect themselves and their clients — not only for a regulatory exam, but for a potential cyber breach as well.
Sample Request 1: Show the policies and procedures that address the protection of customer/client/user records and information. This includes policies and procedures that are designed to:
- Secure customer/client/user documents and information.
- Protect against anticipated threats to customer/client/user information.
- Protect against unauthorized access to customer/client/user accounts or information.
Sample Request 2: Produce a copy of the policies, procedures and standards that are designed to ensure that unauthorized persons do not access the advisor’s network resources and devices, or to those polices, procedures and standards that restrict access according to job functions. This could include, for example, the access control policy, acceptable use policy, administrative management of systems policy or the corporate information security policy. Additionally, provide a copy of the last internal audit that covered access rights and controls.
This first request should underscore the need for a thoughtful and detailed cybersecurity policy. Everything asked for in this request, and more, should be covered in that policy. The policy should also spell out how each of these items are monitored and enforced.
As the second request makes plain, simply having a cybersecurity policy on paper is not enough: Cybersecurity preparedness and active monitoring must be a documented part of the RIA’s daily operations. The areas that should be covered include: data and applications inventory and risk assessment, access controls, identity protection and data loss prevention.
Sample Request 3: Produce a copy of the RIA’s policies, procedures and standards related to login attempts, failures, lockouts and unlocks or resets for each perimeter-facing system. Indicate how these policies are enforced and monitored.
These logs should detail how the RIA is enforcing protocols around user access and access controls, including conditional access controls, as well as the firm’s account lockout and password policies. They could include verifications sent regarding password changes, and password vault reporting for business applications. In addition, RIAs need to show the controls in place for accessing fintech applications, including Software as a Service (SaaS) and on-premises software, and for vendors/IT support.
Sample Request 4: Provide a list of all cyber incidents, which should include the amount of actual client losses associated with each one, and the amount reimbursed by the RIA.
Firms need to produce detailed logs of suspicious access activity, making sure to track things like account lockouts and login attempts from abnormal locations. Even attempts that might indicate a minimum level threat or breach, such as phishing attacks, should be documented.
The examiners want to know that the firm tracks such attempted or thwarted events, because they know that every firm has them almost daily.