In a recent risk alert, the SEC announced that it was instituting a second exam priority focused on cybersecurity at broker-dealers and registered investment advisors. The SEC decided to conduct this second targeted exam due to its findings from an earlier cybersecurity exam priority.
This new initiative will focus on the following areas:
- Governance and risk assessment: does a registrant have adequate governance and risk assessments processes and policies in place to address the following points.
- Access rights and control: does a registrant have basic controls to prevent unauthorized access to the systems and information.
- Data loss prevention: does a registrant have an adequate program to monitor electronic data that is sent out of the firm by employees or through third parties; are there unauthorized transfers being made.
- Vendor management: does a registrant have practices and controls related to vendor management, such as due diligence as to vendor selection, oversight and contract terms.
- Training: does a registrant have an adequate training program for those employees and vendors who could put the firm’s data at risk.
- Incident response: does a registrant have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events.
What is the take away from this initiative? If you do not realize that cybersecurity is critical for your existence, then you have been asleep for the past few years.
The real lesson is that the SEC is giving you a guidepost for your own internal review to ensure that you are focused the SEC’s topics of importance. Once this exam priority is completed, you should anticipate that the SEC will start issuing heavy sanctions upon non-compliant firms.
Act now, don’t wait for the SEC to pay you a visit. Protect your firm, protect your clients, and avoid the wrath of the SEC. The SEC has painted a picture for you. You would only have yourself to blame if you do not act now before you hear from the SEC.