Is Cybersecurity a Priority for Your Investment Firm? It is for Regulators

If you haven’t been giving your firm’s information security the attention it deserves, now would be a good time to start. Recent activities by the Securities and Exchange Commission (SEC) and National Futures Association (NFA) suggest that cybersecurity will continue to be one of the top areas of focus for both regulators and that they have certain minimum expectations for what investment advisers’ cybersecurity programs should look like.

The SEC recently settled an enforcement action with an investment adviser for failure to adopt policies and safeguards to protect clients’ personally identifiable information (PII) in violation of Rule 30 of Regulation S-P. In particular, the SEC focused on the adviser’s failure to:

• Conduct periodic assessments
• Implement a firewall
• Encrypt the personally identifiable information
• Adopt a cybersecurity incident response plan

In September, the SEC announced through its risk alert the second phase of examinations of investment advisers related to cybersecurity, which focuses on the following areas:

• Governance and risk assessment (including involvement of senior staff and tailoring to risks of firm)
• Access rights and controls
• Data loss prevention controls
• Vendor management
• Training programs
• Incident response plans

In addition, the National Futures Association recently proposed interpretative advice relating to cybersecurity with respect to the privacy, records and supervision requirements of registered commodity pool operators, registered commodity trading advisors and other registered markets. The NFA’s proposed interpretative advice is principles-based and would require the adoption of an information systems security program tailored to the risks of the relevant registered entity.

Based on the above and previous cybersecurity actions, investment advisers should consider making a robust cybersecurity program a priority at their firm.

Cybersecurity policies and procedures should include identifying risks and mitigation efforts, an incident response plan, and training. In addition, SEC advisers and NFA members should consider establishing vendor diligence and management policies. SEC advisers and NFA members should also periodically test the system they implement, including incident response testing, penetration testing and cybersecurity risk assessments/gap analyses.

Advisers may want to engage a qualified consulting firm to assist with meeting regulatory expectations.

Kaufman Rossin’s risk advisory services team includes former regulators who know the financial services industry inside and out. Unlike a general IT security firm, Kaufman Rossin has the industry experience and expertise to help SEC-registered investment advisers, broker-dealers, and NFA members assess their cybersecurity risk and assist them in conducing security tests, including social engineering and phishing testing, vulnerability assessments, and policies and procedures assessments.

Please contact a member of Kaufman Rossin’s risk advisory team for a free consultation to assist you in identifying and mitigating your firm’s cybersecurity regulatory risk.