2020 Investment Adviser Update—There’s a “Voice Inside Your Head You Refuse to Hear” (But You Should)

SEC Examination Priorities for 2020

On January 7, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published its examination priorities for 2020 (Exam Priorities) for various regulated entities, including investment advisers. [2] OCIE announces its exam priorities annually to provide insights into the areas it believes present potentially heightened risk to investors or the integrity of the U.S. capital markets. [3] The Exam Priorities can serve as a roadmap to assist advisers in assessing their policies, procedures and compliance programs; testing for and remediating any suspected deficiencies related to the Exam Priorities; and preparing for OCIE exams. Advisers are encouraged to review their current policies, procedures and client disclosures with these priorities in mind. Exempt reporting advisers (ERA) as well as registered investment advisers (RIA), are subject to SEC examination, although the SEC has indicated that it does not expect to examine ERAs on a routine basis.

Guidance on Cybersecurity and Operational Resiliency

In January 2020, the OCIE issued observations from examinations of investment advisers and other SEC registrants to assist market participants in considering how to enhance cybersecurity preparedness and operational resiliency (Cybersecurity Guidance). [5] OCIE recognized at the outset of the report that there is no “one-size-fits-all” approach and that not all of the practices discussed in the report may be appropriate for any one firm. OCIE stated, “In sharing these staff observations, we encourage market participants to review their practices, policies and procedures with respect to cybersecurity and operational resiliency. We believe that assessing your level of preparedness and implementing some or all of the above measures will make your organization more secure.”

Governance and Risk Management The Cybersecurity Guidance stresses that effective cybersecurity programs start with the right tone at the top. OCIE has observed firms utilizing the following risk management and governance measures:

  • Devoting senior leadership attention to setting the strategy of and overseeing the firm’s cybersecurity and resiliency programs;

  • Conducting a risk assessment to identify, prioritize and mitigate cyber risks;

  • Implementing, monitoring and testing comprehensive written cybersecurity policies and procedures;

  • Continuously evaluating and adapting to changes; and

  • Establishing communication policies and procedures to provide timely information to senior management, customers, employees, other market participants and regulators, as appropriate.

Access Rights and Controls Access rights and controls are used to determine appropriate users for organization systems based on job responsibilities and to deploy controls to limit access to authorized users. OCIE has observed firms with strategies that include, for example:

  • Developing a clear understanding of access needs to system and data;

  • Managing user access through systems and procedures that implement separation of duties for user access approvals, re-certify access rights on a periodic basis, and utilize multi-factor authentication; and

  • Monitoring for unauthorized user access.

Data Loss Prevention OCIE has observed the following data loss prevention measures, among others:

  • Establishing a vulnerability management program that includes routine scans of software code, web applications, servers and databases, work stations and endpoints within both the firm and applicable third-party providers;

  • Implementing perimeter security capabilities that are able to control, monitor and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic;

  • Maintaining an inventory of hardware and software assets, including identification of critical assets and information;

  • Using tools and processes to secure data and systems through encryption and network segmentation; and

  • Verifying that the decommissioning and disposal of hardware and software does not create system vulnerabilities.

Incident Response and Resiliency OCIE has observed that many firms have incident response plans that include the following elements, among others:

  • Developing a risk-assessed incident response plan for various scenarios, including denial-of-service attacks, malicious disinformation, ransomware, and key employee succession, as well as other extreme but plausible scenarios;

  • Determining and complying with applicable federal and state reporting requirements;

  • Testing the incident response plan and potential recovery times; and

  • Developing a strategy for operational resiliency with defined risk tolerances tailored to the firm.

Vendor Management OCIE has observed the following practices:

  • Establishing a vendor management program to ensure vendors meet security requirements and that appropriate safeguards are implemented;

  • Understanding all contract terms to ensure that all parties have the same understanding of how risk and security is addressed; and

  • Monitoring the vendor relationship to ensure that the vendor continues to meet security requirements and to be aware of changes to the vendor’s services or personnel.

Other topic areas covered in the Cybersecurity Guidance include establishing policies and procedures that address the additional and unique vulnerabilities associated with mobile devices and applications and the key role of cybersecurity training. READ

 

Advisor Armor