Cybersecurity Must Be C-Suite Concern at RIAs, Brokers and Managers

In conversation with PLANADVISER, cybersecurity attorney and former SEC staffer Marlon Paz suggests it is absolutely essential for advisory firms to have a senior executive “not just appointed but also empowered” as the chief information security risk officer. 

Recently, the Securities and Exchange Commission (SEC) issued a risk alert urging broker/dealers, registered investment advisers (RIAs) and investment fund companies to take direct steps to improve their cybersecurity policies and practices.

According to Marlon Paz, partner at Seward & Kissel LLP and former compliance staffer at the SEC, this risk alert was a long time coming, and the themes it presents actually occupied much of his own work at the regulator from 2004 to 2010. The big upshot of the risk alert is that, following case study reviews of some 75 investment management firms, the SEC’s Office of Compliance Inspections and Examinations (OCIE) feels that most broker/dealers, investment advisers and funds have at least one potentially serious cybersecurity issue to be addressed—likely more. 

Never miss a story — sign up for PLANADVISER newsletters to keep up on the latest retirement plan adviser news.

“This is a very well written and informative risk alert,” Paz says, encouraging all investment industry practitioners to read it carefully. “The SEC has made it clear that they will continue to examine and test for cybersecurity compliance procedures and controls, and will not shy away from potential enforcement actions for those who are not compliant.”

Given his former time at the SEC, Paz offered up some inside baseball analysis of what the SEC is signaling in the text and between the lines of its risk alert publications.

“One of the clearest messages I am getting is that the SEC is actually fairly pleased that more and more firms are drafting and adopting well-crafted policies and procedures in this area,” Paz says. “However the SEC also is warning that there is clear evidence that the policies and procedures are not always being followed as closely as the regulator would like. Protecting client information and assets is becoming a major focus for SEC examinations. That is the message.”

Paz reminds readers that there are very specific and exacting requirements to be followed in this area, enforced under various statues and the Employee Retirement Income Security Act (ERISA).

The “SEC has put the industry on notice and offered specific guidance with this risk alert, so we should all expect the next round of examinations and enforcement actions to use the requirements here laid out as a baseline for future compliance,” Paz says. “In other words, there really is not any more time to wait to improve your practices, because the SEC is seemingly done with having leniency in this area. Here is the SEC telling us in clear terms what they expect, so we should listen.”

NEXT: Cookie cutter policies invite disaster 

Beyond this, SEC is now very clear that cybersecurity policies and procedures cannot be cookie-cutter, off-the-shelf affairs. As Paz puts it, “all these third-party consulting groups that have emerged to say they have a wiz-bang cybersecurity policy which they can sell you and slap your name on and solve all your problems, they are promising much more than they can deliver.”

“It is a recipe for disaster to use a cookie-cutter approach,” Paz continues. “The policies must be tailored to your specific risk, and not everyone’s risk is the same. A small, non-tech-driven manager with 10 staff that only have access to work information through firewall-protected desktop computers does not have the same profile of risks and concerns that a major national tech-driven brokerage may have. Does your company keep things tightly controlled, or does it allow people to use their own portable devices and external networks all over the globe?”

The SEC will be examining these matters closely in the future, “as they should,” Paz adds. “Once you have written out some very well-tailored processes and procedures, naturally the next step is to ensure you are doing what you have pledged to do.”

In his experience, it is absolutely essential for advisory firms to have a senior executive “not just appointed but also empowered” as the chief information security risk officer. Putting a younger employee with little authority in charge of these matters will simply not cut it. Even if they have the know-how, their ideas and warnings stand the chance of only being acted on slowly, or not at all. 

“A senior executive is going to be the only person who is capable of meeting the demands of this job,” Paz says. “It must be somebody with the understanding of what the risk means to the business as a whole and who has the authority to make sure the culture of compliance is real and persistent.”

Interestingly, Paz concludes with the advice that this chief cybersecurity risk officer does not necessarily have to be the most technologically minded of the senior executives, either. “In fact that is far from the most important qualification,” he says. “More important is the commitment, discipline and authority.”

 The full SEC risk alert publication is available here

Fixed Income Sees Most of DC Trade Inflow for August

Even though trading among 401(k) participants was up slightly this month, most of the inflow traveled to fixed income vehicles.

August saw an uptick in trading activity among defined contribution (DC) participants with three days seeing above normal trading activity, according to the the Alight Solutions 401(k) Index.

“Over the last five years, the Index has averaged 32 above normal trading days per year,” explains Rob Austin, director of Research at Alight. “The fact that there have only been six such days this year speaks to how infrequently participants have been initiating trades. There are likely two main forces at play: inertia on the part of investors and a prolonged upward-trending market.”

For more stories like this, sign up for the PLANADVISERdash daily newsletter.

When it came to trading, most investors preferred fixed income. According to the index, 18 out 23 days in August favored fixed income. Overall, 31% of inflows went to stable value funds, 21% went to money market funds, 21% went to international funds, and 17% went to bond funds. Meanwhile, outflows primarily came from equities and company stock funds. Large U.S. equity funds saw 36% of total outflows. Furthermore, outflows came from company stock funds (22%), small U.S. equity funds (17%) and mid U.S. equity funds (16%).

At the end of August, 67.1% of balances were invested in equities, down slightly from 67.4% at the end of July. Moreover, 67.1% of new contributions were invested in equities, down slightly from 67.3% in July.

The index also showed that target-date funds (TDFs) continue dominating the DC space, accounting for 26% of total balances followed by large U.S. equity funds (24%) and stable value funds (12%).

TDFs were also the asset class that saw the biggest amount of contributions with $454 million or 45% of total contributions coming into these vehicles.

Alight notes, “In August, capital markets saw mostly modest gains for U.S. bonds (represented by the Bloomberg Barclays U.S. Aggregate Index), international equities (represented by the MSCI All Country World ex-US Index), and large U.S. equity funds (represented by the S&P 500 Index).

“The Blomberg Barclays U.S. Aggregate Index returned .9%, the S&P 500 returned .3% and the MSCI All Country World ex-U.S. Index returned .5%. The Russel 2000 Index declined by 1.3% in August.”

On average, 0.016% of balances traded each day of the month ending August 31, 2017.

Alight Solutions defines a “normal” level of relative transfer activity as trading when the net daily movement of participants’ balances as a percent of total 401(k) balances within the Alight Solutions 401(k) Index equals between 0.3 times and 1.5 times the average daily net activity of the preceding 12 months. A “high” relative transfer activity day is when the net daily movement exceeds two times the average daily net activity. A “moderate” relative transfer activity day is the net daily movement is between 1.5 and two times the average daily net activity of the preceding 12 months. when the net daily movement is between 1.5 and two times the average daily net activity of the preceding 12 months.

More information can be found at Ideas.Alight.com

«