Contributed by Brian Kirk , Cybersecurity Practice Leader, Elliott Davis
The Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) recently reiterated its plans to evaluate the cybersecurity practices of Registered Investment Advisors (RIAs) as part of its National Exam Program (NEP). Specifically, the OCIE will be reviewing the safeguards, policies, and procedures that advisors have in place to fend off cybersecurity attacks and respond appropriately if an incident occurs. To guard against attacks and avoid OCIE penalties, firms should take steps now to review and enhance their cybersecurity posture.
Current Guidance
The OCIE has once again named cybersecurity as one of its top areas of focus for 2019, which means RIAs can expect to field questions on cybersecurity during future compliance exams. Based on the items that SEC guidance indicated will be assessed in 2019, we’re encouraging advisors to focus on the following areas:
o Development of risk assessment and governance frameworks
o Incident response planning and tabletop exercises
o Third-party management and oversight
o Access controls and data loss prevention
o Security awareness training and testing
The SEC also emphasized its intent to evaluate organizations with multiple offices and those that have recently made acquisitions or mergers. This SEC guidance aligns with current industry best practices for protecting client and company intellectual property.
2019 Focus Areas
Risk Assessment and Governance
There are several different standards for RIAs to consider when determining the best way to measure risk and apply mitigating controls. Most, however, follow this outline:
o Identify assets and stakeholders. RIAs should clearly outline their assets and the business owners responsible for those assets. Identified business owners will ultimately be accountable for the security controls protecting their assets.
o Analyze the potential impact/damage from the loss of an asset. RIAs need to determine the size and scope of damages if an asset were compromised. The greater the magnitude, the more stringent the controls should be to secure the asset.
o Identify relevant threats. RIAs must determine the threat actors that may target their environment. These could include malicious insiders, nation/state actors such as Russia or China, rival firms, or disgruntled customers. Only by clearly understanding potential adversaries can a mature defense plan be instituted.
o Investigate vulnerabilities. After relevant threats are identified and the business impact of a compromise is determined, RIAs can begin analyzing vulnerabilities that may exist when trying to protect their information.
o Evaluate controls. The assessment team documents the controls (both technical and non-technical) that are associated with each asset. RIAs should consider data loss prevention tools to monitor and protect data from inadvertent disclosure and theft.
o Gauge threat likelihood. Threat likelihood is determined by analyzing the vulnerabilities and threats to an RIA. Security budgets are often established by calculating the threat potential.
Once a formal risk assessment methodology has been developed in an advisor’s organization, it’s imperative to perform the risk assessment on at least an annual basis to account for variables that change over time.
Incident Response Planning and Testing
The SEC will be evaluating firms to verify they have documented and tested plans to respond to and recover from a cybersecurity-related incident. Industry best practices dictate that firms have created a step-by-step plan on how to respond to a cybersecurity-related incident. A mature plan will contain contact information for key employees and suppliers, an escalation chain to senior management, and instructions on how to deal with employees and, potentially, the media.
Incident response plans should be tested regularly by internal staff or third parties.
Testing inevitably identifies gaps in procedures and provides valuable insights that can be used to incrementally improve the existing plan.
Third-Party Management and Oversight
Organizations depend on third-party relationships to improve profitability, decrease costs, and provide a competitive advantage. However, these partnerships often come with risks, especially if the third party is sharing and processing information provided by the organization.
A sound third-party management program will include procedures to review what data is provided to third parties, identify who has access to it, and detail the security controls that are in place to safeguard it.
Access Controls and Data Loss Prevention
The principle of “Least Privilege” indicates that controls exist to ensure users and systems only have access to data that is necessary for legitimate purposes. Mature organizations have documented policies and procedures that outline how access is given (and removed if appropriate) to sensitive information. Detailed logging of access allows a firm to determine who accessed, changed, deleted, or moved information. In addition to proper access controls being applied to information, RIAs are also encouraged to consider specific technologies that monitor the movement of data, both inside and outside the organization, to verify that it hasn’t been stolen or misused.
Security Awareness Training and Testing
Effective security awareness training is imperative for an organization committed to improving its cybersecurity posture. More than 90 percent of security incidents begin with some form of social engineering, highlighting the importance of ensuring users have the necessary training to defend the organization.
RIAs are encouraged to perform mandatory cybersecurity training, emphasizing the importance of vigilance and reporting. Organizations should also test their employees with phishing, vishing, and physical assessments to verify their staff’s awareness of threats is commensurate with the level of risk they’re willing to accept.
We Can Help
Elliott Davis can help companies meet the SEC guidelines and Registered Investment Advisors cybersecurity programs. Our firm is a Center for Internet Security SecuritySuite member, which allows us to evaluate and report on organizations and their compliance with the Top 20 Controls framework. We have the experience on staff to assist organizations with documentation and training, as well as full cybersecurity and risk assessments. Our cybersecurity professionals are well versed in working directly with legal teams to manage attorney/client privilege regarding our engagements and findings.
For more information or answers to specific questions, please contact your Elliott Davis advisor or our Investment Companies Practice Leader Renee Ford.
Leave a Reply