Getting ready for SEC cyber-security tests

Governments will eventually regulate industry to solve ongoing problems, and the investment industry is no exception. As cyber-risks increasingly threaten corporate finance, the Securities and Exchange Commission is tightening controls to ensure that registered investment advisers and funds comply. Here’s what’s happening and what you must do about it.

The SEC began looking at cyber-security in the financial sector as early as 2011, when it published a guidance document on the disclosure of cyber-security risks for corporate finance. This was an opinion, though, rather than an enforceable rule.

It ramped up its coverage of cyber-security risk in March 2014, holding a Cyber-security Round Table with market participants, and followed this up by announcing cyber-security examinations for registered investment advisers a month later through its Office of Compliance Inspections and Examinations (OCIE).

After a “security sweep” on 50 RIAs that September, the SEC issued a guidance update through its Investment Management Division in 2015. This document warned of periodic assessments and asked companies to produce a strategy for preventing, detecting, and responding to cyber-security threats.

As the SEC developed its cyber-security policy, it gained teeth. When RT Jones Capital Equities Management failed to produce a written security in September 2015, the regulator fined it $75,000 under Rule30(a) of Regulation S-P, commonly known as a the “safeguard rule.” This rule mandates that participants maintain written policies and procedures for protecting customer data. It’s important to note that while being slapped with a fine reflects poorly on a firm, it’s the reputational damage done by SEC disclosure that’s more harmful.

Clearly, it was time for corporate finance professionals to sit up and take notice.

Since then, the SEC has increased its focus on cyber-security. In 2016, then-SEC Chair Mary Jo White warned that financial partners are still not tailoring policies and procedures to their specific risks. The regulator performed a cyber-security sweep of funds; broad findings are expected to be released this year.

Devoting the human resources to cope with the workload is only half the battle; the other half involves developing a cyber-security mindset and making it a part of your culture.

This aggressive approach to cyber-security regulation should give companies pause in 2017. The OCIE recently published its examination priorities for the year, highlighting cyber-security as a focal point.

“In 2017, we will continue our initiative to examine for cyber-security compliance procedures and controls, including testing the implementation of those procedures and controls,” the OCIE said.

Preparing for the future

There are six measures compliance professionals in the financial services industry should consider when working to comply with these regulatory requirements:

Understand the digital assets under your care. Companies should be aware of the most critical sensitive data that they hold.

Perform a risk assessment. Once companies understand the data that they are responsible for protecting, they can explore the risks that may expose it. There are some that they can mitigate, such as storing it in a cloud-based service, for example. Then, there are others that companies can offset through insurance. Finally, there are some risks that financial firms may simply have to accept.

How you secure the assets. This will be the most significant and time-consuming of the six steps and involves a detailed technical exploration of the tools and techniques necessary to protect the assets under management. The level of risk that different assets face will be an important consideration.

Run periodic vulnerability assessments. Cyber-security is not a one-time, “fire and forget” project. It is a living, breathing process that advisers and funds must revisit as both threat vectors and business conditions change. Conduct regular vulnerability assessments to ensure that you are still adequately protecting yourself against risks.

Based on those assessments, you will need to complete two more steps:

Tighten security policies. Vulnerability assessments may highlight new risks that need an adjustment in security policy. This is part of the regular cycle of risk assessment and mitigation.

Conduct awareness training. After they put technical controls and security policies in place to secure their assets, investment firms must acknowledge the other weak spot: people. Training staff to support security policies is an important part of this six-step process.

Companies must not only put these steps in place, but also document them. Companies should not underestimate the work involved in this process from start to finish. It is not unheard of for some firms to devote three people to the process for two months to prepare for an SEC examination.

On the upside, putting in this work to follow the SEC guidance will get companies a long way toward compliance with regulation from other relevant bodies. FINRA produced its own Report on Cyber-security Practices, which it expects companies to follow.

The level of work required for regulatory compliance, combined with the need to keep current with evolving cyber-security risks, makes this a marathon and not a sprint. Devoting the human resources to cope with the workload is only half the battle; the other half involves developing a cyber-security mindset and making it a part of your culture.

Eldon Sprickerhoff is founder and chief security strategist at cyber security company eSentire (www.esentire.com). In founding eSentire, Eldon responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.