Getting Your Information Security Program Up to Scratch

In 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) reaffirmed that its examination priorities continue to include cybersecurity. Two years previously, OCIE detailed the following specific areas of focus:

  • Governance and Risk Assessment
  • Access Rights and Controls
  • Data Loss Prevention
  • Vendor Management
  • Training
  • Incident Response

These key areas should cover much of the cybersecurity risk that Investment Adviser (“IA”) firms will face. However, for firms with little to no experience in dealing with cybersecurity, covering the above can be a daunting task. By reviewing OCIE examination priorities and taking a step-by-step approach, a firm can create an Information Security Policy (ISP) suitable to its needs. An Information Security Policy should be a comprehensive document outlining how a firm handles matters related to cybersecurity. Everything from high-level policy to technical details will be within the Information Security Policy.

Governance And Risk Assessment

The OCIE 2015 examination priorities for governance and Risk Assessment provides as follows

“Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below. Examiners also may review the level of communication to, and involvement of, senior management and boards of directors.” – OCIE’s 2015 Cybersecurity Examination Initiative

When dealing with Governance and Risk Assessment, a firm should ask these questions:

  • Does the firm handle sensitive data?
  • Where is sensitive data located?
  • Who can access sensitive data?
  • How can sensitive data be accessed?
  • Who oversees IT decisions?

Each firm will have their own share of unique risks depending on the type of IA as well as the business environment in which it operates. When evaluating risk, a firm must first identify what is at risk. In most cases, the
answer will include data.

Want to read more?

Fill in the form below to download the full article.

Loading form...

Latest Content

Takeaways from FINRA’s Examination Priorities 2020

The much-anticipated release of the Financial Industry Regulatory Authority, Inc. (“FINRA”) 2020 Risk Monitoring and Examination Priorities Letter occurred on January 9, 2020. Why is this annual release so important to broker-dealers? In short, it serves as a roadmap to identify compliance and supervisory topics that will underpin FINRA’s examination program as 2020 unfolds. After … Continued

10 Compliance Tips for Starting 2020 Off on the Right Foot

No rest for the weary. With the new year upon us, our attention turns to new budgets, change and planning. With renewed energy as we roll into January thaw, we worry if our compliance program is ready. To give you a leg up, here are 10 tips for investment adviser and broker-dealer compliance teams for … Continued

Compliance Lessons Learned in 2019

Now that we are in mid-January, a few things are evident. We have likely broken one or more New Year’s resolutions, the effect of any rest over the holidays has worn off and we need to complete our annual compliance reviews for 2019 and firm up our 2020 plans. While I don’t have solid advice … Continued