The SEC’s Roadmap for RIA Information Security & Operational Resilience

Through a combination of promulgated rules, industry advisories/alerts,  and detailed summaries of the SEC’s previous audit findings, Registered Investment Advisors (RIA)s have been provided a solid foundation of evidence from which they can build a compliant and secure posture for their organizations.

The following sections outline, in chronological order, each of the major SEC publications evidencing those controls required or expected to be implemented within an RIA.

Smplsolution’s cybersecurity consulting team is uniquely qualified to address each of these SEC required or recommended controls with solutions that meet or exceed the standards for your firm’s compliance. 

February 5, 2004 – Final Rule 206(4)-7 : Compliance Programs of Investment Companies and Investment Advisers

This rule provides the following recommendations for inclusion in a firm’s information security program:

• Policies and procedures ensuring the accuracy of disclosures made to investors, clients, and regulators, including account statements and advertisements.
• Policies and procedures ensuring the Safeguarding of client assets from conversion or inappropriate use by advisory personnel;
• Policies and procedures assuring the accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction.
• Confidentiality measures are in place to safeguards for the privacy protection of client records and information.
• Business continuity plans are maintained and tested annually.
• Annual review of policies and procedures for adequacy and relevance.
• Recordkeeping Rule 204-2 require firms to maintain copies of all policies and procedures that are in effect or were in effect at any time during the last five years. Also requires advisers to keep any records documenting their annual review.

Feb. 3, 2015 – Summary of OCIE National Exam Program – Audit Findings
(See Feb 2015 Cybersecurity Examination Sweep Summary)

These audit findings evidence provide evidence for the recommended controls that should be properly implemented within an RIA:

• • Written business continuity plans often do not address the impact of cyber-attacks or intrusions. 
  • Written policies and procedures generally do not address how firms determine whether they are responsible for client losses associated with cyber incidents. 
  • Most of the examined firms reported that they have been the subject of a cyber-related incident.

• Fraudulent e-mails – Systems to protect against spam, phishing and malware
• • Failure to follow identity verification procedures
  • Smaller incidents of employee or other authorized user engaged in misconduct resulting in the misappropriation of funds, securities, sensitive client, or firm information, or in damage to the firms’ networks 
• examined firms identify best practices through information-sharing networks like FS-ISAC
• The vast majority of examined firms conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences. Similar standards of review should be applied to 3rd party vendors
• Controls Frameworks – Many firms are utilizing external standards and other resources to model their information security architecture and processes (e.g NIST, ISO, FFIEC)
• The designation of a Chief Information Security Officer (“CISO”) varied by the examined firms’ business model. 
• Many examined firms provide their clients with suggestions for protecting their sensitive information. 
• Use of cybersecurity insurance revealed among the examined firms.
• Almost all the examined broker-dealers (98%) and advisers (91%) make use of encryption in some form 
• examined firms’ maintain cybersecurity risk policies relating to vendors and business partners revealing varying findings 
• The vast majority of examined firms report conducting firm-wide inventorying, cataloguing, or mapping of their technology resources 

April 2015 – SEC Division of Investment Management – IM Guidance Update (2015-02)

This SEC guidance provides the following recommendations for inclusion in a firm’s information security program:

• Conduct a periodic assessment of: 
  • (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses (inventory systems and data); 
  • (2) Risk and vulnerability assessment – internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; security controls and processes currently in place; 
  • (4) the impact should the information or technology systems become compromised; and 
  • (5) Risk management – the effectiveness of the governance structure for the management of cybersecurity risk. An effective assessment would assist in identifying potential cybersecurity threats and vulnerabilities so as to better prioritize and mitigate risk

• Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include: 
  • (1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening;
  • (2) data encryption; 
  • (3) DLP – protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;
  • (4) data backup and retrieval; and 
  • (5) the development of an incident response plan. Routine testing of strategies could also enhance the effectiveness of any strategy. 
• Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts. 
• compliance policies and procedures that are reasonably designed to prevent violations of the federal securities laws. For example, the compliance program of a fund or an adviser could address cybersecurity risk as it relates to identity theft and data protection, fraud, and business continuity, as well as other disruptions in service that could affect, for instance, a fund’s ability to process shareholder transactions. Accordingly, funds and advisers may wish to consider reviewing their operations and compliance programs and assess whether they have measures in place that are designed to mitigate their exposure to cybersecurity risk.
• Because funds and advisers rely on a number of service providers in carrying out their operations, funds and advisers may also wish to consider assessing whether protective cybersecurity measures are in place at relevant service provider

September 15, 2015 – OCIE Cybersecurity Exam Initiative

A brief list of exam priorities:

• Governance and risk assessment Program

• Access rights and controls

• Data Loss Prevention 

• Vendor Management (Vendor Risk)

• Training (SEAT)

June 2016 – SEC Division of Investment Management – IM Guidance Update (2016-04)
This SEC guidance provides RIAs with the following recommendations for inclusion in their firm’s information security program:

• SEC extends expectation of requirement for BCDR plan development and testing to advisers assuring the ability for them to continue operations and servicing of their investors during business disruptions regardless of cause. Discuss “Availability” of systems.
  • Plans typically cover the facilities, technology/systems, employees, and activities conducted by the adviser and any affiliated entities, as well as dependencies on critical services provided by other third-party service providers.
  • A broad cross-section of employees from key functional areas are involved in BCP programs at the entity typically including, but not limited to, senior management (including officers), technology, information security, operations, human resources, communications, legal, compliance, and risk management to assist in efforts to ensure continuity and resiliency when events occur.
  • Continuity planning includes Service provider oversight programs generally incorporating both initial and ongoing due diligence processes, including review of applicable business continuity and disaster recovery plans for critical providers. The organization typically seeks a combination of information to conduct its oversight, including, but not limited to, service provider presentations, on-site visits, questionnaires, certifications, independent control reports, and summaries of programs and testing, where appropriate, including with respect to BCPs.
  • Some form of BCP testing for the plan occurs at least annually.

Additional Considerations Regarding Critical Service Providers:

• Back-Up Processes and Contingency Plans.
  Advisers should consider examining critical service providers’ backup processes and redundancies, the robustness of the provider’s contingency plans, including reliance on other critical service providers, and how these providers intend to maintain operations during a significant business disruption. Fund complexes generally should understand how their own BCP addresses the risk that a critical service provider could suffer a significant business disruption and how the provider and the fund complex might respond under certain scenarios.
• Monitoring Incidents and Communications Protocols.
  Advisers should consider how they can best monitor whether a critical service provider has experienced a significant disruption (such as a cybersecurity breach or other continuity event) that could impair the service provider’s ability to provide uninterrupted services, the potential impacts such events may have on the adviser and investors, and the communication protocols and steps that may be necessary for the adviser to successfully navigate such events.
  • Develop policies and procedures.
  • Develop and external communication plan.
  • Assure timely communication and reporting of progress

OCIE Exam Priorities Advisory – 2017

• Cybersecurity. In 2017, OCIE will continue its initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls. 

OCIE National Exam Program (May 17, 2017) – Ransomware Alert

This alert focuses on controls vital to avoid a successful ransomware attack:

• • Cyber-risk assessments: Need to identify threats, vulnerabilities and potential business consequences.
  • Penetration testing of critical systems.
• System maintenance and patching

Summary of OCIE National Exam Program (Aug. 7, 2017) – Audit Findings

These audit findings evidence provide evidence for the recommended controls that should be properly implemented within an RIA:

In the examinations, the staff observed:

• • Nearly all broker-dealers and the vast majority of advisers and funds conducted periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences of a cyber-incident. 
  • Nearly all broker-dealers and almost half of the advisers and funds conducted penetration tests and vulnerability scans on systems that the firms considered to be critical, although a number of firms did not appear to fully remediate some of the high risk observations that they discovered from these tests and scans during the review period. 
  • All firms utilized some form of system, utility, or tool to prevent, detect, and monitor data loss as it relates to personally identifiable information. 
  • All broker-dealers and nearly all advisers and funds had a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, the staff observed that a few of the firms had a significant number of system patches that, according to the firms, included critical security updates that had not yet been installed. 
  • Information protection programs at the firms typically included relevant cyber-related topics, such as: 
    • Policies and procedures. Nearly all firms’ policies and procedures addressed cyber-related business continuity planning and Regulation S-P.  In addition, nearly all broker-dealers and most advisers had specific cyber and Reg S-ID policies and procedures. (Discuss SP privacy protections including disposal requirements)
    • Incident response plans.

• Maintained cybersecurity org chart

• Advisers having authority to transfer client funds to or from third partiers
  • Inadequate policies and procedures – informal
  • Did have policies and procedures for verifying authenticity of customer ID and request for fund transfers.
• Vendor risk management programs were in place with annual review and updating.

Recommendations:

• • Require annual customer protection review.
  • Require annual review of supplemental (compensating) security controls 
  • Reg-SP violations to be cured (Reiterate issues of confidentiality):
    • Stale risk assessments

• Lack of remediation efforts

• • • Poor or non-existent patch management (should be scheduled and have policies and procedures).
  • P&P should include an inventory of data, information and vendors.
  • Suggest vulnerability and penetration testing 
  • Security monitoring and system auditing.
  • Maintenance of control and audit of access rights 
  • Chain of reporting and review.
  • Maintain prescriptive schedules and policies for:
    • Vulnerability scans with remediation plan.
    • Patch management.
  • Establish and enforce controls over access to data and systems
    • AUP for employee use of assets and network

• Mobile device management
• • 3rd party vendor logging of their network activity.
  • Policies for employee termination.
• Mandatory employee training (Discuss SEAT training)
• Engagement and commitment of senior management.

Summary of OCIE National Exam Program Priorities (2019) & Audit Findings (2018)

This document outlines exam priorities as well as evidence of their controls expectations within an RIA:

Cybersecurity protection is critical to the operation of our markets. The scope and severity of risks that cyber threats present have increased dramatically. The impact of a successful cyber attack may have consequences that extend beyond the firm compromised to other market participants and retail investors, who may not be well informed of these risks and consequences. We are focused on working with firms to identify and manage cybersecurity risks and to encourage market participants to actively and effectively engage in this effort. We will continue to prioritize cybersecurity in each of our examination programs. Our examinations have and will continue to focus on, among other things, governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response 

Audit Findings (2018)

• Insufficient policies and procedures related to DLP, vendor risk, inventory management, and patching.
• Failure to report system disruptions and outages in a timely manner.

Summary of OCIE National Exam Program Priorities (2020) & Audit Findings (2019)

This document outlines exam priorities as well as evidence of their controls expectations within an RIA:
2020 Priorities : In FY 2020, OCIE will continue to monitor industry developments and market events to assess impact on retail investors and SEC-registered firms, and continue to tailor its riskbased program to respond. The footprint of registered entities has become more global and diverse, often with an increased dependency on services and operations worldwide. And the use of third-party service providers and other vendors by registrants continues to increase, which can bring improved expertise and effectiveness, but also additional challenges and risks to organizations. OCIE will continue to focus on third-party risk management in FY 2020. OCIE will also closely track and evaluate the impact of several major risk themes affecting its registrant population, including information security and resiliency risks, geopolitical events, and the industry’s transition away from LIBOR.

OCIE will continue to prioritize information security in each of its five examination programs. Examinations will focus on, among other things, proper configuration of network storage devices, information security governance generally, and retail trading information security. Specific to RIAs, OCIE will continue to focus its examinations on assessing RIAs’ protection of clients’ personal financial information. 

Particular focus areas will include: (1) governance and risk management; (2) access controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response and resiliency. In the area of third-party and vendor risk management, OCIE will also focus on oversight practices related to certain service providers and network solutions, including those leveraging cloud-based storage. 

OCIE will continue to conduct examinations of registrants to review for compliance with Regulations S-P and S-ID. OCIE also will focus on the controls surrounding online access and mobile application access to customer brokerage account information. Finally, OCIE will examine for the safeguards around the proper disposal of retired hardware that may contain client information and potential network information that could create an intrusion vulnerability

Audit Findings (2019)

• Insufficient policies and procedures related to DLP, vendor risk, inventory management, and patching.
• Failure to report system disruptions and outages in a timely manner.

Summary of SEC Exam Priorities (2021)

This document outlines exam priorities as well as evidence of their controls expectations within an RIA:

• The increase in remote operations due to the pandemic has heightened the SEC’s concerns over:
  • Endpoint Security
  • Data Loss Prevention
  • Remote Access security
  • Use of 3rd party systems, and
  • Vendor management and oversight

Examinations will focus on key areas such as:

• safeguarding customer accounts and preventing account intrusions, including verifying an investor’s identity to prevent unauthorized account access.
• oversight vendors and service providers
• address malicious email activities, such as phishing or account intrusions.
• respond to incidents, including those related to ransomware attacks.
• manage operational risk as a result of dispersed employees in a work-from-home environment.

Summary of SEC Exam Priorities (2022)

This document outlines exam priorities as well as evidence of their controls expectations within an RIA:

Examinations will focus on key areas such as:

• safeguarding customer accounts and preventing account intrusions, including verifying an investor’s identity to prevent unauthorized account access.
• oversight of vendors and service providers. 
• addressing malicious email activities, such as phishing or account intrusions 
• responding to incidents, including those related to ransomware attacks. 
• identify and detect red flags related to identity theft, and 
• managing operational risk because of a dispersed workforce in a work-from-home environment. 

In the context of these examinations, the Division will focus on, among other things,  RIAs’ compliance with Regulations S-P and S-ID, where applicable.

Summary of SEC Exam Priorities (2023)

This document outlines exam priorities as well as evidence of their controls expectations within an RIA:

Examinations will focus on key areas such as:

• Prevention of interruptions to mission-critical systems
• Protection of investor information, assets and records
• Adequate policies and procedures designed to safeguard customer information as well as proper disclosure of books and records storage locations.
• Adequacy of incident response procedures, especially in the event of a ransomware attack.
• Compliance with Regulation S-P and S-ID
• Adequacy of 3rd party vendor risk assessments
• Adequacy of resiliency planning in the context of climate risks.

After reviewing the above, you might be wondering how to best prepare for a future SEC examination of the firm’s information security and operational resiliency. For our valued customers, Smplsolution’s senior cyber-focused vCIO team has compiled a simplified checklist of those administrative and technical controls that the SEC recommends or requires to be implemented within your RIA firm.

Additional SEC cybersecurity-related resources,  in the form of alerts and/or notices, are made  available via the links provided below:

Cybersecurity Risk Alert: Safeguarding Client Accounts against Credential Compromise
September 15, 2020

Cybersecurity Risk Alert: Ransomware Alert
July 10, 2020

Cybersecurity Risk Alert: Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features
May 23, 2019

Cybersecurity Risk Alert: Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies
April 16, 2019

Written by Eric Gaffin – Linkedin