Yesterday, the Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) staff issued a new registered investment adviser (RIA) regulatory risk alert related to cybersecurity. This comes shortly after the SEC noted in January of this year that cybersecurity would be a key 2015 examination priority and also released the results of its cybersecurity examination sweep this past February. It's hard to debate that the SEC is sending a loud and clear message that RIA firms need to prioritize information security issues.
This latest risk alert notes that the OCIE's 2015 Cybersecurity Examination Initiative will focus on the following key areas:
- Governance and Risk Assessment
- Access Rights and Controls
- Data Loss Prevention
- Vendor Management
- Incident Response
The OCIE staff also included a sample document request list in the appendix of the risk alert which provides details on the requested items within each of the categories listed above.
As RIA compliance consultants, the pieces from this most recent risk alert that stood out to us were:
- Much like in regards to an advisory firm's broader compliance program, SEC examiners are expecting RIA firms to conduct risk assessments to determine whether the proper tailored information security policies and procedures are in place.
- The OCIE staff is becoming a proponent of multi-factor authentication to help prevent unauthorized access to firm systems. We continue to strongly recommend the use of multi-factor authentication to all RIA firms. Firms that aren't utilizing this capability should anticipate increased scrutiny during examinations.
- Training of not only employees, but also third-party vendors, is a large focus of the staff's comments. OCIE staff will be looking for clear evidence that firms are taking information technology security training seriously. Including such training as part of the firm's annual compliance meeting is a good starting point but not enough.
It's vital that the Chief Compliance Officer (CCO) of all advisory firms review this latest risk alert and also ensure that his or her firm is implementing the proper information security policies and procedures. There should be no doubt that the SEC will be increasingly focused on cybersecurity issues moving forward and that cybersecurity needs to be a key component of the compliance program for RIA firms of all sizes.