With all the high profile data breaches lately (Target, Chase, Michael’s Stores, American Express etc.), it was inevitable that FINRA and the SEC, along with the State regulators, would not only talk about cyber-security and issue notices and rules regarding it, but would also make it a priority. They now have and you better be ready.
On April 15, the SEC Office of Compliance Inspections and Examinations (OCIE) published a risk alert on cyber-security. The tone of the alert is ominous to say the least:
“OCIE’s cyber-security initiative is designed to assess cyber-security preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats. As part of this initiative, OCIE will conduct examinations of more than 50 registered broker-dealers and registered investment advisers focused on the following: the entity’s cyber-security governance, identification and assessment of cyber-security risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cyber-security threats.”
There is no doubt that cyber-security is lacking in the financial services industry and that clients’ data may certainly be at risk. However, an initiative like this spells trouble, in the form of extra work and costs, for the industry as a whole. For evidence of that, simply review the appendix to the alert that provides a sample document/examination request that will be used by the SEC. As you read through the items, try and figure out how your firm would answer if asked. Please don’t assume this will be limited to the selected 50 broker/dealers and investment advisers because it won’t be. FINRA already included cyber-security in its 2014 exam priorities and issued a Targeted Exam Letter in January of this year. State regulators never like to be late on an issue so expect inquiries from them either directly or during upcoming exams.
With so much regulatory focus on this issue, what should small and medium investment advisers and broker/dealers? If you’ve ruled out opening a restaurant in the Bahamas, we recommend the following steps:
- Do a risk assessment of your current cyber-security. Meet with the principals of your firm and review the appendix as a group answering as many questions as possible. If you have IT department or consultant, they should participate. If you have an outside compliance consultant, they should be there as well;
- Produce an action plan related to how you will bridge the gaps you have identified. If your IT and/or compliance consultant hasn’t been involved yet, get them involved during this step. You will need to rank the risks by severity and also do a cost analysis for each as these solutions can sometimes be quite expensive;
- Implement your plan. Documentation of the solutions you identify and implement is critical if you are called to defend your measures prior to full implementation. This is a developing area that is being emphasized but the regulators, believe it or not, will often take into account risk identification and solution design and not just demand total compliance day one. Waiting for them to come in and tell you what to do is not the best option;
- Update your Compliance Manual and/or Written Supervisory Procedures. These updates will certainly not be as detailed as your IT plan but should reflect the systems and solutions you have implemented. At a minimum, annual updates are required.
Cyber-security is and should be serious business. Red Oak Compliance Solutions stands ready to assist you in your efforts to evaluate your risks and implement solutions. Please call us at 888.302.4594 or email us at firstname.lastname@example.org to discuss these important issues.