Earlier this year, the SEC announced one of its focus areas for examinations in 2014 would be cybersecurity. The SEC Office of Compliance Inspections and Examinations published a Cybersecurity Initiative Risk Alert in April that provides a sample request for information and documents, which are designed to determine the preparedness of a firm for a cybersecurity threats. Examples of questions asked include:
– Please provide a copy of the Firm’s written business continuity of operations plan that addresses mitigation of the effects of a cybersecurity incident and/or recovery from such an incident if one exists;
– Does the Firm have a Chief Information Security Officer or equivalent position? If so, please identify the person and title. If not, where does principal responsibility for overseeing cybersecurity reside within the firm?;
– Please provide a copy of the Firm’s procedures for verifying the authenticity of email requests seeking to transfer customer funds. If no written procedures exist, please describe the process.
Parker MacIntyre attorneys Steve Parker and Bryan Gort recently attended the annual North American Securities Administrators Association (NASAA) conference in Indianapolis, Indiana. Cybersecurity was a major focus of this year’s conference. NASAA administered a cybersecurity practices survey to 440 state-registered investment advisers in 9 states. As a result of NASAA’s survey, it produced a report entitled, “Compilation of Results of a Pilot Survey of Cybersecurity Practices of Small and Mid-Sized Investment Adviser Firms” in September. The firms surveyed average three total employees and two Investment Adviser Representatives and range from 1 to 100 employees and 1 to 39 Investment Adviser Representatives.
The results suggest that many firms are not prepared to handle a cybersecurity breach and do not properly safeguard their clients personal information. Below are some of the important findings of the survey:
– Of the 92% of firms that use e-mail to contact clients, only 50% of firms use secure e-mail;
– Only 57% of firms authenticate clients’ email instructions;
Source – North American Securities Administrators Association
– 62% of firms used a cybersecurity risk assessment to determine potential risks to their client’s information;
– 44% of firms have policies and procedures in place related to cybersecurity;
– Only 4.1% of firms indicated that they have experienced a cybersecurity incident.
In order to adequately craft your firm’s policies and procedures for handling customer information, you should use the “Standards for Safeguarding Customer Information,” located at 67 CFR 36493, May 23, 2002. These standards were created by the Federal Trade Commission as a result of the Gramm-Leach-Blily act in order to provide guidance to drafting your firms’ policies. For example, the standards require a firm to designate an employee to coordinate the information security program at your firm and “identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information”.
If your RIA needs help with its information security protocols, Parker MacIntyre can help your firm draft policies and procedures designed to help self-guard important client information. Parker MacIntyre provides legal and compliance services to investment advisers, broker-dealers, registered representatives, hedge funds and issuers of securities, among others.