July 1, 2019


Cybersecurity has been and will continue to be a focus by industry regulators. How important has this theme been? It is so important that the SEC has included cybersecurity in its annual examination priorities for the last five years. The SECs 2019 examination priorities indicate the focus areas will include proper configuration of network storage devices, information security governance, and policies and procedures related to retail trading information, risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.

The SEC announced in March 2019 it would be conducting its third round of cybersecurity sweep exams. The prior sweeps occurred in 2014 and 2017. The first two sweeps were similar in the scope. The Office of Compliance Inspections and Examinations (“OCIE”) examined firm policies and procedures and the documentation supporting that these policies were being followed. Issues identified included procedures that provide general guidance, limited examples of safeguards for employees, and are generally too vague. The staff also noted in a number of cases firms were in fact not enforcing their policies and procedures, or the policies and procedures did not reflect the actual practices.

In May 2019, a Risk Alert was issued by the SEC regarding the safeguarding of customer records and information within firms network storage, as well as the use of third-party security features. During the course of examinations, OCIE noted misconfigured network storage solutions, inadequate oversight of vendor-provided network storage solutions, and insufficient data classification policies and procedures. The alert communicated that effective policies and procedures should address initial installation, ongoing maintenance, and vendor management.

Threats around cybersecurity will only continue to increase, where nefarious individuals and organizations are seemingly never ending, creating phishing schemes and a variety of ways to infiltrate firm systems.

We believe the following misperceptions continue in prevalence within the RIA industry:

1) Cyber threats against RIA firms are rare.

Regrettably, this isn't the case. Just among our client base, we see attempted cyber frauds occur all the time. Some of our clients (the clients of our clients, to be exact) have been the target of cyber fraud, usually by means of hacked email accounts and fraudulent wire requests.

2) Cybersecurity is a “big firm” problem.

Every RIA - big or small - have points of vulnerability. In fact, regulators have specifically noted that smaller RIA firms will not get a pass when it comes to putting procedures in place to protect clients.

3) Cybersecurity is an IT issue.

Cybersecurity requires a multi-pronged approach and goes way beyond information technology. Effective cybersecurity risk management is a cross-functional challenge that must also address operational processes, vendor management, regulatory requirements, and, most importantly, human management. Truth be told, we, as humans, are often the damaging factors of cybersecurity events.

When establishing policies and procedures for RIAs there are a number of prudent steps to follow that would not only satisfy their regulatory expectations but also protect their clients from the very real threats that exist today. They include:

  • Maintain a working knowledge of all clients (and their “normal” activity with respect wire requests);
  • Securing mobile devices;
  • Securing hardware/office space and setting procedures and controls that govern how your firm processes client wire requests;
  • Utilize encryption tools to send client sensitive information via email;
  • Stay current with patches and updates; and
  • Test your policies and procedures to ensure they are being followed or require enhancements


Post a Comment