Contributed by Brian Kirk, Cybersecurity Practice Leader, Elliott Davis
The Office of Compliance Inspections and Examinations (OCIE) of the SEC has recently reiterated guidance that they plan to evaluate the cybersecurity practices of Registered Investment Advisors (RIAs) as part of their National Exam Program (NEP). The OCIE will be evaluating advisers in regards to their ability to fend off cybersecurity attacks and respond appropriately if an incident occurs. To guard against attacks and avoid OCIE penalties, firms should take steps now to review and enhance their current cybersecurity posture.
The OCIE has once again named cybersecurity as one of its top areas of focus for 2018 and Registered Investment Advisors can expect to field questions on cybersecurity during future compliance exams. In reviewing the list of items provided by the SEC that will be evaluated we are encouraging advisors to focus on three areas that correspond to the most common weaknesses observed in the field.
• Conduct a Periodic Information Technology Security Risk Assessment
• Create and test a strategy designed to prevent, detect, and respond to cybersecurity threats
• Implement the strategy through written policies and procedures and training of internal staff and clients
This SEC guidance aligns with current industry best practice for organizations that are serious about protecting client and company intellectual property. They recommend that advisors focus on three areas.
Information Technology Security Risk Assessment
There are several different standards for advisors to consider when performing an information technology security risk assessment for their organization. Most however follow this outline:
• Identify Assets and Stakeholders – Requires RIAs to clearly outline their assets and the business process owners responsible for those assets. Identified business process owners will ultimately be responsible for the security controls protecting their assets.
• Analyze impact/damage from loss of an asset – Requires RIAs to determine the scope and magnitude of business impact if an asset was compromised. The greater the magnitude the more stringent the controls should be to secure the asset.
• Identify Relevant Threats – Requires RIAs to determine the threat actors that may target their environment. This includes understanding if the threat is malicious insiders, nation state actors such as Russia/China, rival firms, or disgruntled customers. Only by clearly understanding potential adversaries can a mature defense plan be instituted.
• Investigate Vulnerabilities – Requires the RIA to begin analyzing vulnerabilities that may exist when trying to protect their information after relevant threats are identified and the business impact of a compromise is determined.
• Evaluate controls – Requires the assessment team to document the controls (both technical and non-technical) that are associated with each asset. The RIA should consider data loss prevention tools to monitor and protect data from inadvertent disclosure and theft.
• Consider threat likelihood – Requires analyzing the vulnerabilities and threats to the RIA to determine the threat likelihood. Security budgets are often established through calculating the threat likelihood.
Once a formal risk assessment methodology has been identified in an RIA’s organization, it is imperative to perform the information technology security risk assessment on at least an annual basis to account for variables that change over time.
Create and test a strategy that is created to prevent, detect, and respond to cybersecurity threats
Guidance provided by the SEC in creating and testing a strategy is broad and far-reaching. We recommend advisors evaluate their security programs against a proven standard such as the Center for Internet Security (CIS) Controls. The 20 controls reviewed in this framework clearly outline a company’s ability to prevent, detect and respond to attacks.
While implementing controls in an established framework will not make your company impervious to attack, it will raise the complexity level needed to compromise it.
One specific CIS Top 20 control that the SEC noted was that many organizations were not investing sufficiently to keep their software and hardware systems up to date.
Inadequate maintenance of existing systems leaves an investment advisor vulnerable to unnecessary risk. An assessment from an established security provider will provide your organization with a path forward for continuous improvement for your program including monitoring existing hardware and software for updates.
Every program, no matter where it is on the maturity spectrum, needs to be moving forward and this framework provides a methodology to determine where to focus your resources.
Create or update written policies and procedures and train your staff (and third parties associated with your firm)
Many advisors struggle to create mature policies and procedures that are applicable to their organization and demonstrate their commitment to cybersecurity. It is important to document the controls you have in place and ensure that management has read and approved of your existing position. The SEC has noted that most Registered Investment Advisors that have policies fail to make them specific and applicable to their organization. Policies in general are too broad and fail to provide concrete examples and specific procedures.
Effective security awareness training is imperative for an organization committed to improving its cybersecurity posture. Over 90% of security incidents begin with some form of social engineering, highlighting the importance of making sure that your users have the necessary training to defend your organization.
WE CAN HELP
Elliott Davis can assist you with meeting the SEC’s guidelines and assisting Registered Investment Advisors with their cybersecurity programs. Elliott Davis is a Center for Internet Security SecuritySuite member which allows us to evaluate and report on organizations and their compliance with the Top Controls framework. Our firm has the experience on staff to assist organizations with documentation and training as well as full cybersecurity and risk assessments.
We are well versed in working directly with entity legal teams in order to manage attorney/client privilege in regard to our engagements and findings. In the meantime, if you have questions, please contact your Elliott Davis advisor or our Investment Companies Practice Leader, Renee Ford.