The SEC's Seven Focus Areas for RIA Cybersecurity

Learn more about the SEC's RIA Cybersecurity focus areas and what each one means.

1. Governance and risk management

OCIE notes that effective cybersecurity programs incorporate a governance and risk management program that includes: "(i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address those risks; and (iii) the effective implementation and enforcement of those policies and procedures."

OCIE has observed risk management and governance measures such as:

  • Senior Level Engagement
  • Risk Assessment
  • Policies and Procedures
  • Testing and Monitoring
  • Continuously Evaluating and Adapting to Changes
  • Communication

2. Access rights and controls

Access rights and controls refer to allowing or limiting access to devices and systems only to those in the organization who are authorized to access data within those systems based on the users job responsibilities. According to OCIE, "Access controls generally include: (i) understanding the location of data, including
client information, throughout an organization; (ii) restricting access to systems and data
to authorized users; and (iii) establishing appropriate controls to prevent and monitor for
unauthorized access."

OCIE observed user access, access management, and access monitoring at organizations that have access rights and controls strategies. 

3. Data loss prevention

Data loss prevention refers to the sets of tools and processes used to prevent the misuse or unauthorized access of sensitive data or non-public information ("NPI"). Data loss prevention measures utilized by organizations include: 

  • Vulnerability Scanning
  • Perimeter Security
  • Detective Security
  • Patch Management
  • Inventory Hardware and Software
  • Encryption and Network Segmentation
  • Insider Threat Monitoring
  • Securing Legacy Systems and Equipment

4. Mobile security 

As mobile devices add additional layers of vulnerabilities, it is critical that proper security measures are put in place to mitigate the risk of cyber attacks via mobile devices and applications. At organizations using mobile devices and applications OCIE has observed the following security measures:

  • Policies and Procedures
  • Managing the Use of Mobile Devices
  • Implementing Security Measures
  • Training Employees

5. Incident response and resiliency

As stated by OCIE, "Incident response includes: (i) the timely detection and appropriate disclosure of material
information regarding incidents; and (ii) assessing the appropriateness of corrective actions
taken in response to incidents" OCIE notes that business continuity and resiliency are integral components of an effective incident response plan.

Incident response plans include:
  • Development of a Plan
  • Addressing Applicable Reporting Requirements
  • Assigning Staff to Execute Specific Areas of the Plan
  • Testing and Assessing the Plan
Strategies to address resiliency include:
  • Maintaining an Inventory of Core Business Operations and Systems
  • Assessing Risks and Prioritizing Business Operations 
  • Considering Additional Safeguards 

6. Vendor management

As firms increasingly rely on third-party vendors to manage business operations, vendor management is a critical area of focus within a firm's cybersecurity program.  Policies and procedures related to vendor management should address due-diligence, overseeing vendors, ongoing risk assessment of vendors, and the vendors access and protection of sensitive information. 

The following vendor management practices were observed by OCIE:

  • Vendor Management Program
  • Understanding Vendor Relationships
  • Vendor Monitoring and Testing

7. Training and awareness

After creating policies and procedures around cybersecurity, its important that employees are aware of the cyber threats presented, their responsibilities within the cybersecurity program, and are equipped to respond to cybersecurity events. 

In the area of cybersecurity training and awareness, OCIE observed the following practices:

  • Policies and Procedures as a Training Guide
  • Including Examples and Exercises in Trainings 
  • Training Effectiveness

Tip: Overall, the three primary types of cybersecurity risk for investment advisers as supported by OCIE's observations are people, technology, and vendors. It is important that firms focus on these primary areas when creating and implementing cybersecurity policies and procedures.