SEC Announces the 2nd wave of Cyber Security Audits for Investment Advisors and Broker Dealers

SEC Announces the 2nd wave of Cyber Security Audits for Investment Advisors and Broker Dealers. John Stuart and Vincent Sos The SEC has released a statement alerting Investment Advisors and Broker Dealers that the 2nd round of cyber security audits are coming. The SEC has a focused effort on keeping client information safe from cyber attacks, identity theft, phishing, and a variety of common malicious attacks with the intention of stealing client data. The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued Sept.15, 2015 a Risk Alert that “underscored the importance of cyber security to the integrity of the market system and customer data protection”. This warning from the SEC is coincidentally close to a Sept. 22nd announcement of a $75,000 fine for an RIA that according to the release “failed to establish the required cyber security policies and procedures.” This is the 2nd wave of communication from the SEC in the past 2 years to focus on the importance of securing a client’s data both internally to your organization and externally with partners and technology service providers, specifically cloud based applications. Investment advisors need to understand that while a decline in portfolio performance may result in the loss of a few relationships, a breach of client data could be much more severe, risking very serious damage to the firm’s reputation. The SEC’s examinations concentrate on 6 audit items; 1. Governance and Risk Assessment - Oversight of client data that is specific to a firm’s organization and business model and not just an off-the-shelf solution. Since every firm is different, the SEC likes to see firm specific procedures for the firm’s data security practices. 2. Access Rights and Controls - How is the firm controlling application users and their levels of permission to access client data. For example, should the unregistered receptionist have access to the Order Management System? (The answer is no). 3. Data Loss Prevention (DLP) - DLP consists of best practices and security tools which reduce the leaking of client data outside an organization's control. Sending a client account number over non-secure communication like personal email accounts would be considered a high-risk item in a DLP Audit. Enterprise grade DLP systems react to these messages in real-time and prevent restricted data from leaving the firm’s environment by blocking delivery of the data.