Compliance and Regulatory Services (“CARS”) Hot Topics for October 2015
This month, we are highlighting a new SEC Risk Alert from the Office of Compliance Inspections and Examination (“OCIE”) outlining a list of focus areas for its cybersecurity inspection program. This is the second in a series of OCIE risk alerts dealing with cybersecurity, and this time OCIE is also attaching to its release a first-day letter that is dedicated to just cybersecurity. The alert provides SEC-registered investment advisers with a very good roadmap for creating a risk-based program to protect their firm’s proprietary information and maintaining the privacy of critical client data that reside on both their own computer systems and at those of third-party vendors selected to receive client data.
Cyber risk has become a worldwide priority. It threatens all financial institutions. The potential for loss of critical operational and client data is always present. OCIE considers a failure to take appropriate action a violation of the federal privacy laws; states who have adopted privacy legislation will as well. This is evidenced by a recent SEC action against a registered investment adviser further described below. There is clearly no SEC tolerance for anything less than a strong cybersecurity program.
OCIE's 2015 Cybersecurity Examination Initiative is part of its National Examination Program and outlines several areas of interest they will be looking at during their on-site inspection. The focal areas are governance and risk assessment [our emphasis added] access rights and controls, data loss prevention, vendor management, training and incident response. This is all part of establishing a cyber framework similar to that outlined previously when the OCIE recommended that SEC registrants adopt such a framework and cited the National Institute of Standards and Technology’s "Framework for Improving Critical Infrastructure Cybersecurity" as a viable solution.
The SEC recently fined and sanctioned an investment adviser because its policies and procedures were not reasonably designed to prevent a third-party hosted web server from being accessed by a foreign intruder. The intruder gained access to the adviser’s clients’ names and social security numbers. The SEC further charged the firm with violating privacy law Regulation S-P by failing to conduct periodic risk assessments, employ a firewall, encrypt client data, and establish procedures to respond to cybersecurity incidents.
Our Take: Although not even the United States federal government and the governments from around the world can prevent a cyber-attack, it is the SEC’s intention to make every registered investment adviser responsible for maintaining the integrity of client data whether that information resides on proprietary or third-party vendor servers.
(Complete Listing: http://www.finra.org/Industry/Regulation/Notices/2014/index.htm)
FINRA Rule Filings List
(Complete Listing: http://www.finra.org/Industry/Regulation/RuleFilings/2014/index.htm)