August 9, 2017

SEC Risk Alert: Cybersecurity

On August 7, 2017, the Office of Compliance Inspections and Examinations (“OCIE”) released their observations of cybersecurity preparedness from the examinations of 75 SEC registered firms, including registered investment advisors (“RIAs”). Although the OCIE noted improvements since their last cybersecurity risk alert in 2014, there is still room for improvement.

The OCIE suggests that RIAs consider the following practices to enhance their cybersecurity policies and procedures.

What you need to know:

  • Include details on how safeguards will be implemented. OCIE recommends adding safeguards that are specific to your RIAs computers and systems to your procedures.
  • Penetration tests to review the effectiveness of the firm's cybersecurity policies and procedures.
  • Security monitoring and system auditing of the firm’s cybersecurity framework. To answer questions, such as, when systems are reviewed for software updates and patches and who is responsible for conducting the reviews.
  • Tracking list of vendors and what data is stored on the vendor’s system.
  • Tracking of access rights for all employees to the systems that store client data.
  • Access controls to firm data and systems including:
    • Acceptable use policies for using the firm’s network or equipment.
    • Restrictions and controls for using mobile devices when connected to the firm systems.
    • Require third party vendors to provide logs of their activity on the firm’s network.
  • Reporting of the loss of sensitive information including who should be contacted.
  • Providing mandatory staff training of cybersecurity policies and procedures.
  • Involvement from senior management to develop and approve the firm’s policies and procedures.

If you have any questions, please schedule time with your compliance consultant to discuss your cybersecurity risks.

For full details of the risk alert:

Brian Young
Brendan Furey


Post a Comment