SEC Cyber-Probe: Round 3
Recent activity by the Securities and Exchange Commission (SEC) highlights its continued focus on cybersecurity. In a Risk Alert issued by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”), the staff highlighted weak controls related to safeguarding customer information in network storage, including third-party providers.
As noted in the Risk Alert, some investment advisers and broker-dealers failed to use security features available to internal or external networks, such as encryption, password protection, and other features. (In last week’s blog post, we noted changes made by Microsoft to its password reset feature.) Others failed to properly oversee vendors, including ensuring that contracts and controls offered by those vendors meet the standards under Regulations S-P (Privacy) and S-ID (Identity Protection). Finally, as is frequently noted by the staff, some investment advisers and broker-dealers failed to have adequate policies and procedures covering data security and technology implementation and maintenance.
Luckily, the staff offered some “examples of effective practices”, which is about as close as you are going to get to a recommendation from the SEC. In it, the staff noted that effective oversight includes:
- Policies and procedures that address the installation, maintenance, and periodic review of technology systems;
- Internal guidelines that identify security controls and baseline security configurations for technology solutions; and
- Vendor management policies and procedures that ensure technology vendors are maintaining their systems and meeting data security requirements.
From a practical standpoint, developing written policies and procedures to address these areas is manageable for most investment advisers and broker-dealers. The challenge is in the implementation of those policies and procedures. Often, investment advisers and broker-dealers don’t have internal Information Technology resources to manage these areas. Many then rely on third-party service providers that are not familiar with SEC regulations.
To complement its risk alert, OCIE has launched a third cybersecurity sweep of investment advisers and broker-dealers, which focuses on technology vendor oversight. One of the information requests asks for due diligence that the registrant conducted before adopting a technology system. Additionally, the staff is asking how investment advisers and broker-dealers regularly monitor their technology vendors. They are even asking for contracts with vendors to review security-related provisions. (Hint: your vendor contracts should have provisions that address privacy, confidentiality, and security.)
At CCO Tech, we’re familiar with both SEC regulations and technology. If you need help developing or implementing policies and procedures to address these areas, you can contact us by clicking on the button below. We can also assist you with vendor management and due diligence. And if you’re unsure whether your current program is sufficient, we can have a quick meeting with you to help you determine how you measure up against the staff’s expectations.