On September 15, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a new cybersecurity risk alert. In it, the SEC reemphasized its intention to conduct a second phase of cybersecurity examinations of investment adviser firms.
As if on cue, in late September, a St. Louis-based investment adviser settled SEC charges that it lacked an adequate cybersecurity plan before a data breach that compromised personal information of about 100,000 individuals, including thousands of the firm’s clients.
An SEC investigation found that R.T. Jones Capital Equities Management violated this “safeguards rule.” For four years, the firm “failed to adopt any written policies and procedures to ensure the security and confidentiality of PII [personally identifiable information] and protect it from anticipated threats or unauthorized access,” the SEC said.
From the SEC’s first risk alert on the topic in April 2014 to its examination priorities announced in January, to the first round of examination sweeps conducted this year, the SEC has targeted cybersecurity as a real threat and placed it high on its list of priorities.
The agency’s most recent risk alert provides additional information on the areas of focus for OCIE’s second round of cybersecurity examinations, which will involve more testing to assess implementation of firm procedures and controls. More extensive testing could mean that the SEC will be conducting more onsite visits to firms in this second round of exams.
Some first steps for compliance and risk professionals in firms that are preparing for a possible SEC examination of their cybersecurity policies and procedures include:
- Identifying the firm’s cybersecurity risk — the amount of risk posed by the firm’s activities and interconnectivity — anything posing a potential for loss or damage of an asset as a result of a threat exploiting a vulnerability.
- Safeguarding the firm’s data once the firm’s threats, vulnerabilities, and risks have been identified to help the firm assess whether it has the appropriate safeguards or controls in place to mitigate the various types of threats it faces
- Training staff on the importance of safeguarding data and spotting vulnerabilities is integral to the business’s maintenance of secure systems.
- Testing systems, procedures and the patches the firms has designed to fill in for systems when they have been compromised is essential. Additionally, to remain effective, all of the firm’s detection tools and security processes must be regularly upgraded to enable continuous monitoring and real-time detections of constantly evolving threats.
Being able to show the firm’s adherence to strict cybersecurity protocols, from risk-identification to training, will go a long way in showing regulators (and shareholders) the degree of seriousness the firm takes with regard to its data security.
Officials from the SEC’s Office of Inspections and Examinations (OCIE) have said if they find compliance manuals that are not specific to the adviser’s business, they’ll assume that compliance is not well-respected by these firms, determine that the firms are at high risk of violations, and will likely conduct a top-to-bottom review of the firm’s entire operations.
Julie DiMauro is a contributing editor of the FCPA Blog. She works in the Regulatory Intelligence group at Thomson Reuters in New York. Follow Julie on Twitter @Julie_DiMauro and email her at [email protected].