SEC Issues Update on 2015 Cybersecurity Examination Initiative
On September 15, 2015, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert providing additional guidance on key focus areas for round two of its cybersecurity examinations. Specifically OCIE stated exams will “involve more testing to assess implementation of firm procedures and controls.” The Commission intends to focus on the following areas as a means to collect information on cybersecurity-related controls and assess the controls in place at firms:
Governance and Risk Assessment: According to the Alert, OCIE may evaluate the governance and risk assessment process for areas including, but not limited to, access control, employee training, third-party/vendor management and IT systems management. Examiners also expect to see that assessments and associated policies are specific to a firm’s business.
Access Rights and Controls: OCIE warns that the lack of basic access controls and user management policies can result in unauthorized access to systems and information. Examiners may request details on how a firm manages user rights and what supporting technologies are in place.
A few internal security best practices we advise clients to keep in mind are: 1) maintain a strong password policy, 2) evaluate multi-factor authentication, and 3) implement a mobile device management policy.
Data Loss Prevention: For this control area OCIE covers two potential data breach weaknesses. The first is inadequate controls around patch management and systems configuration. In this area, examiners may question how security patches are prioritized and handled based on prioritization. The second area dives deeper into data loss prevention (DLP), asking firms how they monitor the flow of files and data, particularly large attachments or uploads.
Vendor Management: OCIE highlights the significant risk exposure third-party vendors and platforms can introduce to a firm and reinforces the importance of conducting adequate and regular due diligence. The Alert states that examiners may ask firms to outline how they evaluate, audit and assess vendors and how that diligence links with the firm’s ongoing risk assessment process.
Training: The Alert reinforces that employees and vendors can unintentionally put a firm’s data at risk if proper training is not conducted. The reality is that a firm’s security strategy will only work if employees are properly trained on it.
The goal of an information security awareness program is not merely to educate employees on potential security threats and what they can do to prevent them. A larger goal should be to change the culture of your organization to focus on the importance of security and get buy-in from end users to serve as an added layer of defense against security threats.
Incident Response: OCIE examiners expect firms to have detailed written information security plans as well as incident response policies.
As outlined by Shelley Rosensweig/Haynes and Boone in her article Cybersecurity Risks and Implications for Investment Advisers, advisers should consider the following when implementing an Incident Response Plan:
Designating a coordinator and team that is available at all times for incident response (e.g., an adviser’s general counsel, CIO/IT head, or compliance consultant).
Determining the scope of the incident or breach (including determining what was lost, analyzing how confident the adviser’s team is of the existing system’s integrity, determining whether compromised data was encrypted, and interviewing employees and vendors about their responses and their system security, respectively).
Preparing a post-incident report and analysis detailing the event and the adviser’s response, and considering any applicable revisions to the adviser’s policies and procedures in light of the breach and response.
Taking immediate measures to prevent compromises and unauthorized access (including requiring periodic password changes and restricting use of the system by non-essential vendors and contractors).
Determining the adviser’s obligations under federal, state, local and/or international law (e.g., if there has been a breach, determining (in conjunction with counsel) if any governmental agency should be notified or if Form ADV needs to be updated).
Considering whether the adviser’s insurance company has to be notified.
Eze Castle Integration is actively working with clients to address the items above through technology solutions and written information security plans/programs. Please contact your client relationship manager or reach out HERE.
Related SEC Cybersecurity Exam Articles
Key Learnings from the SEC Cyber Risk Guidance Update (Quick Video Recaps)
WISP Basics for Hedge Funds: The Four Key Elements of a Written Information Security Plan