RIA Compliance and Practice Management Blog

SEC Issues New RIA Cybersecurity Guidance Risk Alert

Posted by RIA in a Box

Sep 16, 2015 10:17:54 AM

Yesterday, the Securities and Exchange Commission (SEC)  Office of Compliance Inspections and Examinations (OCIE) staff issued a new registered investment adviser (RIA) regulatory risk alert related to cybersecurity. This comes shortly after the SEC noted in January of this year that cybersecurity would be a key 2015 examination priority and also released the results of its cybersecurity examination sweep this past February. It's hard to debate that the SEC is sending a loud and clear message that RIA firms need to prioritize information security issues.

This latest risk alert notes that the OCIE's 2015 Cybersecurity Examination Initiative will focus on the following key areas:

  • Governance and Risk Assessment
  • Access Rights and Controls
  • Data Loss Prevention
  • Vendor Management
  • Training
  • Incident Response

The OCIE staff also included a sample document request list in the appendix of the risk alert which provides details on the requested items within each of the categories listed above.

As RIA compliance consultants, the pieces from this most recent risk alert that stood out to us were:

  • Much like in regards to an advisory firm's broader compliance program, SEC examiners are expecting RIA firms to conduct risk assessments to determine whether the proper tailored information security policies and procedures are in place.
  • The OCIE staff is becoming a proponent of multi-factor authentication to help prevent unauthorized access to firm systems. We continue to strongly recommend the use of multi-factor authentication to all RIA firms. Firms that aren't utilizing this capability should anticipate increased scrutiny during examinations.
  • Training of not only employees, but also third-party vendors, is a large focus of the staff's comments. OCIE staff will be looking for clear evidence that firms are taking information technology security training seriously. Including such training as part of the firm's annual compliance meeting is a good starting point but not enough.

It's vital that the Chief Compliance Officer (CCO) of all advisory firms review this latest risk alert and also ensure that his or her firm is implementing the proper information security policies and procedures. There should be no doubt that the SEC will be increasingly focused on cybersecurity issues moving forward and that cybersecurity needs to be a key component of the compliance program for RIA firms of all sizes.

Download Our Free RIA Cybersecurity Compliance Checklist


Topics: RIA Operations, RIA Compliance, RIA Technology

RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

RIA Compliance & Practice Management

Stay up to date on the latest RIA compliance, operations, and technology topics.

Hear from industry experts as they keep you up to date on the latest regulatory developments and practice management topics.

Subscribe to Email Updates

Recent Posts