This past week, on April 15, the SEC's Office of Compliance Inspections and Examinations (OCIE) issued a cybersecurity registered investment adviser (RIA) compliance risk alert. RIAs and the topic of cybersecurity continues to garner quite a bit of media interest and this latest SEC risk alert prompted a number of investment adviser news outlets to chime in on the topic including:
- Mark Schoeff of Investment News: Cybersecurity gets the SEC's attention as agency plans to query advisers on safeguards
- Ted Knutson of Financial Advisor Magazine: SEC Plans Review of RIAs, Broker-Dealers For Lax Cybersecurity
- Melanie Waddell of ThinkAdvisor: SEC Launches Cybersecurity Exams of BDs, Advisors
Rarely does an investment adviser regulatory alert prompt so much immediate industry interest. However, as RIA compliance consultants, we are happy to see this regulatory topic attracting so much attention as information security is such an evolving area right now when it comes to compliance and it unfortunately poses substantial risk to RIA firms of all sizes. Even putting the regulatory risk aside for a moment, one breach of this nature that leads to the exposure of client data or loss of client funds, can cause enough harm to bring down an entire investment advisory firm.
The SEC's Cybersecurity Risk Alert outlines that the agency will be conducting compliance sweep examinations of more than 50 RIA and broker-dealer firms with the main focus being cybersecurity. To aide in preparation and to further educate advisory firms in general, the SEC also included a sample information request list that will be utilized during these examinations. The list which is 7 pages in length is highly detailed and includes 28 items that could require a response.
In regards to how this sample request list applies to registered investment advisers, here are a few items to note:
- Information Security Policies and Procedures: Throughout the list, the SEC makes references to ensure that the RIA firm's compliance manual has established and enforces the necessary information security measures. Simply having procedures in place is a needed first step but is not enough. This procedures should be tested on a regular basis to identify deficiencies and improvements.
- Business Continuity Plan: The SEC wants to know that the RIA firm's continuity plan not only addresses natural disasters and other common business disruptions, but also cybersecurity threats.
- Insurance: It is important for investment advisers to understand how their firm is protected from an insurance standpoint should an unfortunate cybersecurity event occur. Unfortunately, a number of insurance policies may have insufficient liability limits and too many carve outs that do not provide sufficient investment adviser information security liability protection.
- Client Funds Request: There have been a fair number of documented incidents over the past few years of investment advisory firms being duped into allowing a third party who was improperly posing as a client to obtain client funds. We continue to see a rise in these attempted impersonations as well and strongly advise investment advisory firms to revisit their current firm policies to ensure that they have multiple safeguards in place to prevent such an incident.
- Risks Associated with 3rd Party Vendors: As RIAs continue to outsource more key business functions in order to become more efficient and scale operations, it is important that advisory firms establish policies and protections when it comes to business partners having access to the firm's network, client information, or other sensitive data.
As RIA compliance consultants, we strongly advise that all investment advisory firms review the SEC's Cybersecurity Risk Alert and Sample Request List in detail. Like the SEC's recent update on investment adviser social media compliance issues, While this is still a very much evolving topic when it comes to investment adviser compliance, it's essential that all RIA firms take cybersecurity risks seriously and do all they can to protect sensitive client data and access to client funds.