Since it first announced its “Cybersecurity Initiative” in April 2014, the Securities and Exchange
Commission’s Office of Compliance
Inspections and Examinations has been
relentlessly setting its sights on RIA’s
information security programs. In fact,
as recently as its 2020 Examination
Priorities, OCIE noted it will “contin-
ue to prioritize information security in
each of its five examination programs.”
I spoke with our cyber expert, Cary
Kvitka, regarding this increasingly impor-
tant issue. Our firm has been helping
RIAs draft customized cybersecurity pol-
icies and procedures under Regulation
S-P, Rule 30(a) since April 2014.
Among other things, the rule broadly
requires RIAs to adopt written poli-
cies and procedures addressing techni-
cal safeguards to protect their clients’
data “against any anticipated threats or
hazards to the security or integrity of
customer records and information; and
protect against unauthorized access to
or use of customer records or informa-
tion that could result in substantial harm
or inconvenience to any customer.”
Therefore, when we customize written cybersecurity policies and procedures for our clients, we have turnedto OCIE’s published guidance to helpidentify and address their expectations.
We’ve also learned practical lessons, oneof which is that size really doesn’t mattermuch to the SEC’s examination staff. Theyseem to apply the same standards to RIAsof all sized firms, ostensibly because theyall face the same type of palpable risks.
It is simply not enough for RIAs to
adopt and enforce narrowly tailored pol-
icies and procedures for the protection of
their clients’ data from internal or exter-
nal breaches. Rather, these policies must
be evaluated and updated in response to
operational changes and evolving risks.
As this pandemic clearly has changedthe we conduct business and resulted inincreased cybersecurity risks, this is anexcellent time for RIAs to conduct a formal risk assessment and consider somechanges to their policies, procedures, orinfrastructure if appropriate. In doingso, OCIE’s Cybersecurity and ResiliencyObservations released not long beforethe pandemic took hold serves as abenchmark for industry best practices.
In this respect, SEC Chairman JayClayton himself opined, “Data systemsare critical to the functioning of our markets and cybersecurity and resiliency areat the core of OCIE’s inspection efforts.”Here are a few items we suggest RIAsspecifically consider during those riskassessments, based OCIE’s Cybersecurityand Resiliency Observations:
Access Management: OCIE highlightsmulti-factor authentication as an effectivetool to mitigate both internal and externalpenetrations. In the context of the pandemic, RIAs should consider whether toimplement or increase their use of multi-factor authentication, especially whereusers will be logging into firm systemsfrom outside the firm’s physical office.
Vulnerability Scanning: RIAs shouldestablish a vulnerability managementprogram that could scan network components, information systems, and endpoints. Because the RIA’s endpoints mayhave spread well outside the office during the pandemic and they may be relying upon different vendors, they shouldconsider the adequacy of their vulnerability management program and consider additional fortification if necessary.
Vendor Monitoring and Testing: AsRIAs rely more on third-party serviceproviders, OCIE apparently has increasedits due diligence obligations for RIAs.
This includes monitoring vendor rela-
tionships to ensure that they continue to
meet security requirements and notify
RIAs about critical personnel changes.
The pandemic may have put over-
whelming strain on some of these ven-
dors, and therefore, RIAs may be at risk
of a service interruption that could ulti-
mately damage their clients. Therefore,
RIAs should consider additional com-
munications with their vendors and eval-
uation of substitute vendors if necessary.
Risk Assessments: The risk assessment should identify, manage, and mitigate cyber risks relevant to the RIA’sbusiness. This includes identificationand prioritization of “potential vulner-abilities, including remote or travelingemployees or insider threats.” In the caseof the pandemic, RIAs should assess theincreased risks of having its staff working from home or inability to access firmresources as they could at the office.
Thomas D. Giachetti is chairman of theInvestment Management and Securities PracticeGroup of Stark & Stark, a law firm. He can bereached at firstname.lastname@example.org.
THE COMPLIANCE COACH
By Thomas D. Giachetti
How to Bolster Cybersecurity During a Pandemic
The SEC is expecting advisors to be even more strident protecting client
records in these times.