SEC Issues Observations on “Cybersecurity and Resiliency”

The SEC’s Office of Compliance Inspections and Examinations and (OCIE) has issued “Cybersecurity and Resiliency Observations,” which summarizes and reflects on the risks of cybersecurity its examiners have observed in thousands of examinations of broker-dealers and investment advisers over the past eight years. Fittingly, OCIE observed that one size does not fit all when it comes to cybersecurity. The paper, however, provides detailed commentary on several segments of risks and the responses to those risks. One of those areas, governance and risk management, is an area of overall concern for most firms.

As with compliance in general, an effective cybersecurity program “starts with the right tone at the top,” according to OCIE. Other studies demonstrate that without leadership support and continuous engagement, information securities policies fail. In an effective program, the firm’s C-level executives and the board must coordinate activities of several key employees and potentially outside service providers. The initial priority should be to make an inventory of cyber risks and analyze and prioritize those risks. Essentially this must be a team exercise because expertise is required from multiple quarters and points of view. Larger firms may wish to coordinate cybersecurity policies at the enterprise level, but differences among different constituencies within the enterprise may strongly suggest that policies should be addressed at the level of the subsidiary level.  Factors to consider are threats from malicious insiders, unintentional breaches through regular internal operations, risks relating to remote working and traveling, and geopolitical risks.

Once the prioritized inventory is prepared, written policies and procedures should be drafted that are capable of being effectively implemented and enforced. This requires thoughtful consideration of the firm’s capability of fulfilling the goals of the policies with existing personnel. If the firm cannot adequately implement the policies and procedures, it will need to hire outside information technology consultants. Senior leadership must assure that the organization allocates sufficient funding to achieve information security as one of the firm’s highest priorities. This includes funding to hire and train personnel and to procure such tools (i.e., hardware, software, subscriptions) to ensure security. Critically, the policies and procedures must also include provisions for timely and meaningful communication of breaches to regulators, customers, and law enforcement.

The policies and procedures should build in comprehensive testing and monitoring procedures. The testing procedures should be “regular and frequent” and must be designed to validate the effectiveness of the overall policies and procedures. The results of the testing and monitoring, to the extent they reveal gaps or weaknesses, should inform future changes to the policies.  Effective policies will also include express provisions for communicating weaknesses and identified threats to supervisory personnel and ultimately to C-level or other senior officers and the board.

OCIE stresses the importance of involving senior leadership in reviewing and overseeing the area of cybersecurity. For instance, those who review the results of the testing and monitoring must “involve board and senior leadership appropriately.”  Key performance indicators should be established and evaluated. Essentially senior leadership must be involved in all four critical elements of an effective program: governance, controls, oversight, and accountability.

Parker MacIntyre provides legal and compliance services to investment advisers, broker-dealers, registered representatives, hedge funds, and issuers of securities, among others. Our Investment Adviser Group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state laws and rules.  Please visit our Investment Adviser Practice Group page for more information.