By Scott R. Cosentine, CPA, CAMS, CGMA
It is no secret that all aspects of an investment company’s operations find their way through the compliance department. Last month the SEC’s Division of Investment Management explicitly confirmed via Guidance Update 2015-2 that cyber-security is no exception. In order to talk CCOs from the ledge, I want to provide some contextual color around the most recent SEC guidance statement so that small and mid-sized RIAs can take appropriate action.
Given the overall lack of understanding by all industries, regulators, and governments on how to best effectively combat these unknown threats and the ever-changing nature of the risks, there is no silver-lining to be implemented and likely never will be. This dynamic provides for a difficult situation for both the individual advisor trying to protect their proprietary and client information, and regulators trying to protect the industry as a whole. Many CCOs I spoke to see this guidance as a passive-aggressive threat. I see it more as a friendly heads up that just because there isn’t explicit cyber-security regulation for most RIAs, there is regulatory obligation and risk for negligent and/or naïve firms. The SEC, alongside other industry regulators and rule makers at various conferences, acknowledge there is no such thing as 100% protection. Although they don’t expect the CCO to be an IT expert, they do expect the CCO to understand it enough to assess the firm’s applicable IT risks and implement and monitor policies, procedures, and controls designed to effectively mitigate the risks. So what is a firm and its CCO to do?
As “recommended” in the SEC guidance, funds and advisers should conduct periodic cyber-security assessments; create a strategy to prevent, identify, and respond to cyber threats; and implement the strategy through policies, procedures, and training that help to guide officers and employees and monitor compliance. Periodic assessments should include attention to internal and external vulnerabilities, as well as the likely effects of a breach, so that funds and advisers can better assess and mitigate risk. With respect to cyber-security strategies, funds and advisers should consider exerting tighter controls over data access, ramping up encryption, limiting the use of removable storage media to prevent data theft, monitoring system access, backing up data, developing an incident response plan, and implementing routine testing.
Although much of the above is possible to be conducted internally, most small and mid-sized RIAs will need the assistance of a 3rd party expert to assist and guide them through the process. It is important that your provider not only know IT security, but understand the investment management industry and your operations so that the assessments and respective mitigations, policies, and procedures are practical for you. It is also important to realize that although cyber-insurance is not new, it is just now becoming mainstream and the coverages vary widely. Although cyber-insurance is prudent, it is not an alternative or short-cut approach to meeting your cyber-security obligations (or securities laws).
If you have not done so already, take a deep breath, realize this is here to stay, and start to assemble an acceptable timeline at the senior management level to address this guidance, along with the SEC’s Cyber Risk Alert from April 2014. Ashland Partners provides several services addressing the Cyber-Security needs of investment management firms. If we can be of service to you in this capacity, please refer to our Cyber-Security Flyer or contact Jason Millard at 1.541.842.8477 or at firstname.lastname@example.org.