SEC Announces the 2nd wave of Cyber Security Audits for Investment Advisors and Broker Dealers. John Stuart and Vincent Sos The SEC has released a statement alerting Investment Advisors and Broker Dealers that the 2nd round of cyber security audits are coming. The SEC has a focused effort on keeping client information safe from cyber attacks, identity theft, phishing, and a variety of common malicious attacks with the intention of stealing client data. The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued Sept.15, 2015 a Risk Alert that “underscored the importance of cyber security to the integrity of the market system and customer data protection”. This warning from the SEC is coincidentally close to a Sept. 22nd announcement of a $75,000 fine for an RIA that according to the release “failed to establish the required cyber security policies and procedures.” This is the 2nd wave of communication from the SEC in the past 2 years to focus on the importance of securing a client’s data both internally to your organization and externally with partners and technology service providers, specifically cloud based applications. Investment advisors need to understand that while a decline in portfolio performance may result in the loss of a few relationships, a breach of client data could be much more severe, risking very serious damage to the firm’s reputation. The SEC’s examinations concentrate on 6 audit items; 1. Governance and Risk Assessment - Oversight of client data that is specific to a firm’s organization and business model and not just an off-the-shelf solution. Since every firm is different, the SEC likes to see firm specific procedures for the firm’s data security practices. 2. Access Rights and Controls - How is the firm controlling application users and their levels of permission to access client data. For example, should the unregistered receptionist have access to the Order Management System? (The answer is no). 3. Data Loss Prevention (DLP) - DLP consists of best practices and security tools which reduce the leaking of client data outside an organization's control. Sending a client account number over non-secure communication like personal email accounts would be considered a high-risk item in a DLP Audit. Enterprise grade DLP systems react to these messages in real-time and prevent restricted data from leaving the firm’s environment by blocking delivery of the data.
4. Vendor Management - An organization’s cloud application provider(s) should understand and manage security but the advisory firm is required to review and validate these provider’s disaster recovery plan (DRP), encryption standards, and information security policies. InvestCloud’s Chief Architect, Vincent Sos, is a specialist in cloud security and offers advice to RIAs when engaging cloud solution providers; "Ensure that your cloud vendors have regular security tests and can provide you with the results. For key vendors you may want to engage your own security specialists to verify or even “ethically hack” your cloud vendor’s solution. Your cloud vendor should always be open to assist you in that exercise." 5. Training - A firm is required to have a program that trains employees to identify threats and protect client information. 6. Incident Response - There are many types of security incidents that all require a specific set of employee roles and responsibilities. A firm needs to have a plan for who is doing what if there is a breach or loss of client data? The Office of Compliance Inspections and Examinations will take a deep-dive into a select group of advisory practices with a magnifying glass on how you and your partners manage client data. One can assume the SEC identifies the RoboAdvisor space of digital capabilities as a trend that is here to stay and is proactively preparing for more and more client data to be stored across a variety of cloud service providers. While client’s expect their advisors and brokers to be subject matter experts in investments and wealth management, they typically do not assume the same about technology. Of the thousands of RIAs managing trillions of dollars of client wealth, very few have employed Technology Officers to oversee cyber security on behalf of clients. This lack of internal expertise highlights the important need for small and medium sized firms to outsource these requirements to experts in cyber security to protect client data. Based on a 2015 InvestmentNews advisor tech study, 73% of Advisors are already using cloud based services. Investment advisors are aggressively moving from on-premise software to the cloud. The SEC is realizing the competitive advantage of the cloud for advisors and is raising its audit standards on client data as more and more data moves beyond the advisors physical office. As an industry leader in Cloud Security, InvestCloud welcomes questions from advisory firms on our security practices. Feel free to reach out to your regional sales representative or email us at sales@investcloud.com to take a deep dive into our technology services and security standards, currently trusted by thousands of users accessing trillions of dollars of client assets on our platform. John Stuart is the Chief Marketing Officer and EVP of Hybrid Solutions at
InvestCloud, Inc. Throughout his career, Stuart has held senior positions helping both large and small financial service companies with management strategy, acquisitions, and vision/implementation of their products, technologies, and operations. With more than 12 years in marketing, technology, and financial services, Stuart focuses on defining and executing InvestCloud's strategic marketing and business development initiatives. Stuart holds a Master of Business Administration, with a focus on Information Decision Systems from San Diego State University, and a Bachelor of Science in Management Information Systems from Point Loma Nazarene University. Vincent Sos is the Chief Architect Officer of InvestCloud Inc., based in Beverly Hills, CA. He has over 15 years experience, specializing in product development and business strategy, in the Technical and Financial Services industries. Vincent grew up in Spain and received his MBA from IESE, Europe’s top MBA School. He has lived and worked in multiple countries, including the United Kingdom and the United States, giving him unique insight into international business dynamics. Vincent’s significant knowledge of trends and technology in the financial services industry makes him a notable thought leader on the topic of innovation and new tendencies in the industry. Follow him on Twitter for cyber security insights and news.