Practice Management

Cybersecurity Must Be C-Suite Concern at RIAs, Brokers and Managers

In conversation with PLANADVISER, cybersecurity attorney and former SEC staffer Marlon Paz suggests it is absolutely essential for advisory firms to have a senior executive “not just appointed but also empowered” as the chief information security risk officer. 

By John Manganaro editors@strategic-i.com | September 15, 2017
Page 1 of 2

Recently, the Securities and Exchange Commission (SEC) issued a risk alert urging broker/dealers, registered investment advisers (RIAs) and investment fund companies to take direct steps to improve their cybersecurity policies and practices.

According to Marlon Paz, partner at Seward & Kissel LLP and former compliance staffer at the SEC, this risk alert was a long time coming, and the themes it presents actually occupied much of his own work at the regulator from 2004 to 2010. The big upshot of the risk alert is that, following case study reviews of some 75 investment management firms, the SEC’s Office of Compliance Inspections and Examinations (OCIE) feels that most broker/dealers, investment advisers and funds have at least one potentially serious cybersecurity issue to be addressed—likely more. 

“This is a very well written and informative risk alert,” Paz says, encouraging all investment industry practitioners to read it carefully. “The SEC has made it clear that they will continue to examine and test for cybersecurity compliance procedures and controls, and will not shy away from potential enforcement actions for those who are not compliant.”

Given his former time at the SEC, Paz offered up some inside baseball analysis of what the SEC is signaling in the text and between the lines of its risk alert publications.

“One of the clearest messages I am getting is that the SEC is actually fairly pleased that more and more firms are drafting and adopting well-crafted policies and procedures in this area,” Paz says. “However the SEC also is warning that there is clear evidence that the policies and procedures are not always being followed as closely as the regulator would like. Protecting client information and assets is becoming a major focus for SEC examinations. That is the message.”

Paz reminds readers that there are very specific and exacting requirements to be followed in this area, enforced under various statues and the Employee Retirement Income Security Act (ERISA).

The “SEC has put the industry on notice and offered specific guidance with this risk alert, so we should all expect the next round of examinations and enforcement actions to use the requirements here laid out as a baseline for future compliance,” Paz says. “In other words, there really is not any more time to wait to improve your practices, because the SEC is seemingly done with having leniency in this area. Here is the SEC telling us in clear terms what they expect, so we should listen.”

NEXT: Cookie cutter policies invite disaster