The following excerpt originally appeared in Hedge Fund Law Report and was written by Amy Terry Sheehan.
The SEC’s Office of Compliance Inspections and Examinations (OCIE) has announced two new
sets of cyber sweeps. This time around, the regulator’s standards have risen, the inquiries will be more rigorous and the examiners are bringing more technical expertise.
By now, the SEC expects that fund managers have invested resources, technology or human capital to align their programs with SEC expectations. To assist fund managers with responding effectively, this article reviews the current and past cyber sweeps and provides advice on how to prepare for a cyber-focused examination.
Over the past five years, OCIE has conducted a series of sweeps examining registrants’ practices
related to cybersecurity. Through this process, the SEC has gained information, which, in turn, has helped to both shape its expectations and identify areas of concern and focus.
In the spring of 2014, OCIE announced its Cybersecurity Examination Initiative. In this first cyber sweep, OCIE examined 57 registered broker-dealers and 49 registered investment advisers to “better understand” how those registrants were addressing “legal, regulatory and compliance issues” regarding cybersecurity, the regulator stated in a subsequent risk alert.
In the fall of 2015, OCIE announced its Cybersecurity 2 Initiative. In August 2017, it reported on its observations. It had examined 75 firms, including broker-dealers, investment advisers and investment companies registered with the SEC to assess cybersecurity preparedness.
This second sweep “involved more validation and testing of procedures and controls surrounding cybersecurity preparedness” and “focused on the firms’ written policies and procedures regarding cybersecurity, including validating and testing that such policies and procedures were implemented and followed.”
This year, OCIE has announced plans for two new cyber sweeps.
“The examinations could focus on your network, your vendor management program, your employee training. They can cover many different areas,” explained John Araneo (pictured above), managing director and general counsel at Align, a global provider of technology infrastructure solutions. “You need to be prepared to talk about each of them.”
OCIE’s 2019 Examination Priorities document specifies certain cybersecurity priorities: “proper configuration of network storage devices, information security governance generally, and policies and procedures related to retail trading information security.” The document also states as follows:
Specific to investment advisers, OCIE will emphasize cybersecurity practices at investment advisers with multiple branch offices, including those that have recently merged with other investment advisers, and continue to focus on, among other areas, governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.
OCIE has put out a series of risk alerts that provide insight into its cyber priorities based on information it gained from examinations. In 2015, it issued a risk alert documenting what the first sweep had identified. Later that year, it issued another risk alert to provide additional information on the areas of focus for OCIE’s second round of cyber-focused examinations.
On April 16, 2019, OCIE issued a risk alert highlighting some of the most frequent issues it has identified regarding compliance with Regulation S‑P. The Alert focuses on insufficient privacy notices; lack of policies and procedures; and specific failures in policy design and implementation.
Most recently, on May 23, 2019, OCIE released a risk alert, entitled “Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features” (Alert), addressing risks associated with storing electronic customer records and information in the cloud and on other types of network storage solutions.
OCIE found that, when storing electronic records, registrants were not always using the available network storage solutions, such as encryption and password protection. The Alert highlights some of the concerns OCIE had identified that may raise compliance issues under Regulations S‑P and S‑ID, including the following:
The SEC is “focusing on the vendor-management issue,” and while for firms with numerous vendors, “it is a very hard task to understand and prioritize and rate them and audit them,” Araneo said, “it’s got to be done.”
Having a boilerplate policy that you do not understand and handing that over to the regulator is “the worst thing you can do,” Araneo advised. If a boilerplate policy is all the firm has, it should “rip it up and tell the regulator the firm is in the process of restarting or refreshing the cyber program,” either internally or by engaging an outside expert. “That’s a much better starting point.”
It is a good start to even have a “basic policy with a network diagram,” as long as it does not include “inaccurate things or things that you’re just simply not doing,” Araneo added.
Araneo explained that it is a “misconception” for firms to think they should hide breaches from regulators. The regulators “don’t have the final answer and are trying to figure this out too.” They are not expecting a “perfect cybersecurity program that covers everything.” Instead, they expect a firm to show them it is “engaged” and building a cybersecurity program “as a process, as opposed to a project.”
Instead of responding only to precisely what is requested, experts advise fund managers to use the opportunity to broadly and thoroughly present their commitment and efforts regarding cybersecurity.
While fund managers should work toward having comprehensive policies that reflect actual practices, the practices are more critical than the written documents.
No matter the length of the firm’s policy, it is important to “be able to be conversant on what the policy does and how you’re carrying it out. If you don’t do that, you will get shot in the foot at the first step of the engagement,” Araneo warned.