The Office of Compliance Inspections and Examinations (OCIE) of the SEC has recently reiterated guidance that they plan to evaluate the cybersecurity practices of Registered Investment Advisors as part of their National Exam Program (NEP). The OCIE will be evaluating advisers in regards to their ability to fend off cybersecurity attacks and respond appropriately if an incident occurs. To guard against attacks and avoid OCIE penalties firms should take steps now to review and enhance their current cybersecurity posture.Current GuidanceThe OCIE has once again named cybersecurity as one of its top areas of focus for 2018 and Registered Investment Advisors can expect to field questions on cyber during future compliance exams. In reviewing the list of items that will be evaluated we are encouraging advisors to focus on three areas that correspond to the most common weaknesses observed in the field.
This SEC guidance aligns with current industry best practice for organizations that are serious about protecting client and company intellectual property. They recommend that advisors focus on three areas.Information Technology Security Risk AssessmentThere are several different standards for advisors to consider when performing an information technology risk assessment for their organization. Most however follow this outline:
Once a formal risk assessment methodology has been identified in an advisor’s organization it is imperative to perform the risk assessment on at least an annual basis to account for variables that change over time.Create and test a strategy that is created to prevent, detect and respond to cybersecurity threatsGuidance provided by the SEC in creating and testing a strategy is broad and far reaching. We recommend advisors evaluate their security programs against a proven standard such as the Center for Internet Security (CIS) Controls. The 20 controls reviewed in this framework clearly outline a company's ability to prevent, detect and respond to attacks. While implementing controls in an established framework will not make your company impervious to attack, it will raise the complexity level needed to compromise it.One specific CIS Top 20 control that the SEC noted was that many organizations were not investing sufficiently to keep their software and hardware systems up to date. Inadequate maintenance of existing systems leaves an investment advisor vulnerable to unnecessary risk. An assessment from an established security provider will provide your organization with a path forward for continuous improvement for your program including monitoring existing hardware and software for updates. Every program, no matter where it is on the maturity spectrum, needs to be moving forward and this framework provides a methodology to determine where to focus your resources.Create or update written policies and procedures and train your staff (and third parties associated with your firm)Many advisors struggle to create mature policies and procedures that are applicable to their organization and demonstrate their commitment to cybersecurity. It's important to document the controls you have in place and ensure that management has read and approved of your existing position. The SEC has noted that most Registered Investment Advisors that have policies fail to make them specific and applicable to their organization. Policies in general are too broad and fail to provide concrete examples and specific procedures.Effective security awareness training is imperative for an organization committed to improving its cybersecurity posture. Over 90% of security incidents begin with some form of social engineering, highlighting the importance of making sure that your users have the necessary training to defend your organization.
Elliott Davis can assist you with meeting the SEC guidelines and assisting Registered Investment Advisors with their cybersecurity programs. Elliott Davis is a Center for Internet Security SecuritySuite member, which allows us evaluate and report on organizations and their compliance with the Top Controls framework. Our firm has the experience on staff to assist organizations with documentation and training as well as full cybersecurity and risk assessments. We are well versed in working directly with entity legal teams in order to manage attorney/client privilege in regards to our engagements and findings. In the meantime, if you have questions, please contact your Elliott Davis advisor or our Investment Companies Practice Leader, Renee Ford.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.