Recently, the Securities and Exchange Commission (SEC) issued a risk alert urging broker/dealers, registered investment advisers (RIAs) and investment fund companies to take direct steps to improve their cybersecurity policies and practices.
According to Marlon Paz, partner at Seward & Kissel LLP and former compliance staffer at the SEC, this risk alert was a long time coming, and the themes it presents actually occupied much of his own work at the regulator from 2004 to 2010. The big upshot of the risk alert is that, following case study reviews of some 75 investment management firms, the SEC’s Office of Compliance Inspections and Examinations (OCIE) feels that most broker/dealers, investment advisers and funds have at least one potentially serious cybersecurity issue to be addressed—likely more.
“This is a very well written and informative risk alert,” Paz says, encouraging all investment industry practitioners to read it carefully. “The SEC has made it clear that they will continue to examine and test for cybersecurity compliance procedures and controls, and will not shy away from potential enforcement actions for those who are not compliant.”
Given his former time at the SEC, Paz offered up some inside baseball analysis of what the SEC is signaling in the text and between the lines of its risk alert publications.
“One of the clearest messages I am getting is that the SEC is actually fairly pleased that more and more firms are drafting and adopting well-crafted policies and procedures in this area,” Paz says. “However the SEC also is warning that there is clear evidence that the policies and procedures are not always being followed as closely as the regulator would like. Protecting client information and assets is becoming a major focus for SEC examinations. That is the message.”
Paz reminds readers that there are very specific and exacting requirements to be followed in this area, enforced under various statues and the Employee Retirement Income Security Act (ERISA).
The “SEC has put the industry on notice and offered specific guidance with this risk alert, so we should all expect the next round of examinations and enforcement actions to use the requirements here laid out as a baseline for future compliance,” Paz says. “In other words, there really is not any more time to wait to improve your practices, because the SEC is seemingly done with having leniency in this area. Here is the SEC telling us in clear terms what they expect, so we should listen.”
NEXT: Cookie cutter policies invite disaster
Beyond this, SEC is now very clear that cybersecurity policies and procedures cannot be cookie-cutter, off-the-shelf affairs. As Paz puts it, “all these third-party consulting groups that have emerged to say they have a wiz-bang cybersecurity policy which they can sell you and slap your name on and solve all your problems, they are promising much more than they can deliver.”
“It is a recipe for disaster to use a cookie-cutter approach,” Paz continues. “The policies must be tailored to your specific risk, and not everyone’s risk is the same. A small, non-tech-driven manager with 10 staff that only have access to work information through firewall-protected desktop computers does not have the same profile of risks and concerns that a major national tech-driven brokerage may have. Does your company keep things tightly controlled, or does it allow people to use their own portable devices and external networks all over the globe?”
The SEC will be examining these matters closely in the future, “as they should,” Paz adds. “Once you have written out some very well-tailored processes and procedures, naturally the next step is to ensure you are doing what you have pledged to do.”
In his experience, it is absolutely essential for advisory firms to have a senior executive “not just appointed but also empowered” as the chief information security risk officer. Putting a younger employee with little authority in charge of these matters will simply not cut it. Even if they have the know-how, their ideas and warnings stand the chance of only being acted on slowly, or not at all.
“A senior executive is going to be the only person who is capable of meeting the demands of this job,” Paz says. “It must be somebody with the understanding of what the risk means to the business as a whole and who has the authority to make sure the culture of compliance is real and persistent.”
Interestingly, Paz concludes with the advice that this chief cybersecurity risk officer does not necessarily have to be the most technologically minded of the senior executives, either. “In fact that is far from the most important qualification,” he says. “More important is the commitment, discipline and authority.”
The full SEC risk alert publication is available here.