On February 9th, 2022 the United States Securities and Exchange Commission (SEC) proposed new rules related to cybersecurity risk management and disclosures for registered investment advisers, registered investment companies, and funds. For those that have been paying attention, this proposal and its details are no surprise. For nearly eight years the SEC Division of Examinations (The Division, formerly the Office of Compliance Inspections and Examinations (OCIE)) has been communicating gaps in cybersecurity governance they observed in their examinations and the corresponding risks these gaps pose to investors.

We at Agio have been monitoring these messages since 2014 to prepare our financial services clients for compliance and better security. Agio’s SEC Cybersecurity Governance Program clients are prepared for the new SEC rules – the evolution of SEC cybersecurity guidance. We expect them to pass the cybersecurity review of an SEC examination in future as they have so far.

Many RIAs and funds saw this coming at the same time we did – in 2014, the year we released our SEC Cybersecurity Governance Program, the moment SEC signaled it was serious about cyber. Although the 2014 alerts from the SEC were not “requirements,” it was clear these established the path to tightening security and protecting investor data and their investments from cyber-attacks.

This was the start of the marathon run to SEC compliance and cybersecurity best practices. Some firms were in good shape and only needed specialized coaching to get them past the last few miles. Others were behind the starting line but knew now was the time to get moving. Others waited months or years to start but eventually got running to meet their goal.

Agio clients who are dedicated to improving their cybersecurity posture and properly managing cyber risk will typically meet all or the majority of SEC requirements within two years – the average length of time it takes to implement and mature a good cybersecurity program from scratch.

2014: The Marathon Mapped for Cybersecurity Risk Management

The race toward real cybersecurity for RIAs and funds started in 2014 when the SEC OCIE (now The Division) began mapping the course for cybersecurity risk for registrants with its first Risk Alert to call out cybersecurity gaps and launch the OCIE Cybersecurity Initiative .

The 2014 Risk Alert addressing cybersecurity contained a sample list of requests for information OCIE may make regarding cybersecurity matters. This was broken down into six high level categories and further down into 28 “areas of interest” (as we at Agio refer to them) they prioritized for initial focus. The six broad categories are:

  1. Identification of Risks and Cybersecurity Governance
  2. Protection of Firm Networks and Information
  3. Risks Associated with Remote Customer Access and Funds Transfer Requests
  4. Risks Associated with Vendors and Other Third Parties
  5. Detection of Unauthorized Activity
  6. Other
See also  Why Are Software Updates and Patches Important?

The common theme throughout these categories is risk. Through its examinations it was clear to the OCIE that firms did not have a full understanding of the risk that gaps in their cybersecurity policies and procedures posed to the firms and to their investors. This was evidenced by either lack of policies and procedures in key areas, or policies that were in place without corresponding procedures being carried out. Taking this lead, Agio designed its SEC Cyber Governance around central activities of a Security Risk Assessment validated by testing like Comprehensive Penetration Testing. From there we could work with firms to identify and prioritize risks caused by gaps in security controls and take corrective actions.

2015-2021: Later Risk Alerts and Observations

Over the next six years OCIE continued to publish alerts of the cyber threats they saw impacting firms and investors and refined the details firms should include in their cybersecurity risk management. All of the six high level categories held true, but additional specific controls were added or emphasized based on breaches that had occurred. These included:

  • Password policies to strengthen password uniqueness, complexity, and age.
  • Multifactor authentication for all external access and for all users and third parties as well as risks of SMS/text message MFA.
  • Incident response and resiliency. In the 2014 Risk Alert protection and detection were the focus, but as more firms and organizations were successfully breached the need to swiftly respond and recover from them became critical as a means to reduce their overall impact. These efforts included periodically testing incident response, disaster recovery, and business continuity plans especially having reliable, tested, and protected backups.
  • Training and awareness. User actions and errors continue to be the main point of entry for most cyber-attacks. Employees and third parties need to understand their roles and what to look out for on the cyber front.
  • Vendor monitoring and testing. This was a top priority from the start but grew in priority as more firms were breached or had significant business disruption due to their third-party service providers. OCIE spelled out the need to fully understand vendor relationships including rights, responsibilities, and expectations due to false assumptions firms had made regarding what security controls their vendors were responsible for.
  • Data loss prevention (DLP). OCIE includes several types of security controls under DLP including vulnerability scanning and patch management, perimeter security, detective security, hardware/software inventories, encryption, and network segmentation.
  • Senior leadership engagement. Cybersecurity risk and resiliency require attention at the board and senior leadership levels. OCIE identified that lapses in leadership engagement contributed to breaches of customer and client data and later to SEC fines imposed on brokerage firms in 2021.
See also  How to Choose IT Management Services

2022 and Beyond

Last month the SEC proposed new cybersecurity rules which very likely will be finalized before the end of 2022. Although there may be some changes to the specifics, the overall requirement will remain clear:

“Adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risk.”

In addition to SEC requirements, new federal laws passed this month requiring covered entities to report breaches and ransomware attacks signal increasing urgency and pressure from lawmakers to make cybersecurity a priority across the U.S. Furthermore, on March 21st, 2022 the White House published a statement in which President Biden urged private sectors to harden their cyber defenses immediately. On other fronts, more and more firms are including cybersecurity into their environmental, social and governance (ESG) frameworks due to increasing investor demand. The need to focus on cybersecurity risk will not go away.

Start Moving Today

Speaking with our alternative investment clients about cybersecurity, I often use the physical trainer analogy – we cannot make you come into the gym once you’ve signed up, but when you do show up, we will partner with you to achieve your goals like the hundreds of others we have helped achieve theirs.

Agio’s SEC Cybersecurity Governance Program is a proven path to get your firm compliant and secure regardless of the current shape of your cybersecurity program. The standard program continues to meet SEC requirements and cybersecurity best practices. It includes:

  • Security Risk Assessment with Corrective Action Plan
  • Annual Comprehensive Penetration Tests
  • Information Security Policy Creation/Review
  • Incident Response Policy and Procedures
  • Incident Response Testing through Executive and Operational Tabletop Exercises
  • Annual User Training through a Live Cybersecurity Awareness Seminar
  • Social Engineering Testing such as phishing and pretesting Exercises
  • Investor Brief to Include in your ESG framework for potential investors
  • Monthly Governance Meetings with a virtual Chief Information Security Officer (vCISO) to discuss cybersecurity strategy and threats
  • Annual Executive Cybersecurity Briefings to update senior leadership on cybersecurity governance and risk management and discuss future threats and strategy

 

Let’s get going. Contact us, we’re here to help.