Are Advisers Ready for the Next Round of Risk Exams?

A white paper outlines some of the critical cybersecurity points to prepare for the SEC’s Risk Alert.

Last year’s SEC Risk Alert focused on administration, but 2015 took a broader view of cybersecurity measures, cautions ExternalIT in a new white paper. ”Financial Firms Face Further Scrutiny of Their Cybersecurity Practices—Is Your Firm Ready?” gives a run down on the areas of focus—governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response—of the OCIE’s testing.

The threat to an adviser’s practice is real. In September, an investment adviser in St. Louis agreed to settle charges with the SEC for failing to establish cybersecurity policies before a data breach that compromised the personally identifiable information of about 100,000 individuals, including thousands of its own clients. The adviser stored sensitive personal information of its clients and others on a server hosted by a third party over four years, beginning in September 2009.

Never miss a story — sign up for PLANADVISER newsletters to keep up on the latest retirement plan adviser news.

The server was attacked in July 2013 by an unknown hacker who gained access to the server’s data, according to the SEC. Among other failings, the adviser failed entirely to adopt any written policies and procedures to safeguard customer information, such as conducting periodic risk assessments or implementing a firewall. The firm did not maintain a response plan for cybersecurity incidents.

Luckily, the firm has not received any indications of a client suffering financial harm as a result of the cyber attack. Shortly after attack, the firm retained more than one cybersecurity consulting firm to confirm the attack and determine its scope, and notified every individual and offered free identity theft monitoring. The cost of the penalty was $75,000, according to published reports.

As an IT outsourcing firm specializing in financial services, External IT has firsthand knowledge of how firms handle cybersecurity, and uses real-life examples of how firms fail to meet the SEC’s requirements in its paper.

NEXT: Few firms have a good answer when the SEC asks, Who’s in charge? 

During a governance and risk assessment, for example, the first question a firm has to answer is often, “Who is in charge of IT security?” The most common answers—the chief compliance officer, or no one specific person, or a third-party local IT vendor—are not good enough, according to External IT. “A CCO may not have the experience or education to evaluate security risk, and may rely on an outside consultant to assist the firm who could take months to become a proactive member of the firm’s team.” Dozens of firms were asked whether their outside IT firm has shown them IT security plans, audits or logs. Most admitted that nothing proactive was being done.

Basic controls can minimize the risk of data breaches, External IT points out, such as installing multi-factor authentication for users, stringent credentials and authorization methods, and updating access rights. In plain language and a real-life example, this means it might be helpful for the agency handling the firm’s cybersecurity to know if an employee who quit the firm on a Monday shared all his files over the weekend—a clear example of real controls in the hands of the people who need them.

Data loss prevention is another critical area of cybersecurity the SEC will monitor, and External IT found that more than 90% of firms archive their email, but far fewer actually monitor email. This monitoring process can be burdensome for staff, but affordable technologies are available.

Vendor management can be a sensitive area in cybersecurity, and the bigger the third-party partnership, the bigger the potential data breach, External IT contends. Firms owe it to their clients and themselves to choose vendors carefully after thorough due diligence. Vendor relationships, contract terms and the amount of oversight the firm applies to vendors should all be scrutinized. Firms need to keep records of the software and data that vendors can access—ironically, even those vendors hired to address cybersecurity risk.

”Financial Firms Face Further Scrutiny of Their Cybersecurity Practices—Is Your Firm Ready?” can be downloaded from External IT’s website.

«