Since it first announced its “Cybersecurity Initiative” in April 2014, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has been relentlessly setting its sights on RIA’s information security programs. In fact, as recently as its 2020 Examination Priorities, OCIE noted it will “continue to prioritize information security in each of its five examination programs.” I spoke to my partner, and our cyber expert, Cary Kvitka, regarding this ever-increasing important issue.
We’ve been helping RIAs draft customized cybersecurity policies and procedures under Regulation S-P, Rule 30(a) since April 2014. Among other things, it broadly requires RIAs to adopt written policies and procedures addressing technical safeguards to protect their clients’ data “against any anticipated threats or hazards to the security or integrity of customer records and information; and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Therefore, when we customize written cybersecurity policies and procedures for our clients, we have turned to OCIE’s published guidance to help identify and address their expectations.
We’ve also learned practical lessons by guiding our clients through focused cybersecurity examinations since 2014, one of which is that size really doesn’t matter much to the SEC’s examination staff. They seem to apply the same standards to RIAs of all sizes, ostensibly because they all face the same type of palpable risks. It is simply not enough for RIAs to adopt and enforce narrowly tailored policies and procedures for the protection of their clients’ data from internal or external breaches. Rather, they must also evaluate and update those policies and procedures on an ongoing basis in response to operational changes and evolving risks.
Since this pandemic has clearly changed the way RIAs conduct business and resulted in increased cybersecurity risks, we think this is an excellent time for RIAs to conduct a formal risk assessment and consider some changes to their policies, procedures, or infrastructure, if appropriate. In doing so, OCIE’s Cybersecurity and Resiliency Observations, released not long before the pandemic took hold, serves as a benchmark for industry best practices. In this respect, SEC Chairman Clayton himself opined:
Data systems are critical to the functioning of our markets and cybersecurity and resiliency are at the core of OCIE’s inspection efforts . . . I commend OCIE for compiling and sharing these observations with the industry and the public and encourage market participants to incorporate this information into their cybersecurity assessments.
Here are a few items we suggest RIAs specifically consider during those risk assessments, based OCIE’s Cybersecurity and Resiliency Observations:
Access Management – OCIE highlights multi-factor authentication as an effective tool to mitigate both internal and external penetrations. In the context of the pandemic, RIAs should consider whether to implement or increase their use of multi-factor authentication, especially where users will be logging into firm systems from outside the firm’s physical office.
Vulnerability Scanning – RIAs should establish a vulnerability management program that could scan network components, information systems, and endpoints. Since the RIA’s endpoints may have spread well outside the office during the pandemic and they may be relying upon different vendors, they should consider the adequacy of their vulnerability management program and consider additional fortification if necessary.
Vendor Monitoring and Testing – As RIAs rely more and more on third-party service providers, OCIE has apparently increased its due diligence obligations for RIAs. This includes monitoring vendor relationships to ensure that they continue to meet security requirements and notify RIAs about critical personnel changes. The pandemic may have put overwhelming strain on some of these vendors, and therefore, RIAs may be at risk of a service interruption that could ultimately damage their clients. RIAs should therefore consider additional communications with their vendors and evaluation of substitute vendors if necessary.
Risk Assessments – The risk assessment should identify, manage, and mitigate cyber risks relevant to the RIA’s business. This includes identification and prioritization of “potential vulnerabilities, including remote or traveling employees or insider threats.” In the case of the pandemic, RIAs should assess the increased risks of having its staff working from home or inability to access firm resources as they could at the office.