Cybersecurity once again remains a compliance focal point, while IT infrastructure emerges as a thematic concern across multiple regulatory priorities.
On March 3, the U.S. Securities and Exchange Commission (the “Commission”), under the auspices of its newly named Division of Examinations (f/k/a the Office of Compliance Inspections and Examinations or OCIE) published its 2021 Examination Priorities, which yet again reflect the increasing significance that an appropriately scaled cybersecurity program and the underlying IT infrastructure both have on a firm's compliance and risk management programs.
Read on for a recap of the document as well as further insight from John Araneo Esq., Align's Managing Director of Cybersecurity & General Counsel and Alex Bazay, Align’s Chief Information Security Officer.
What you need to know about the regulatory landscape, cyber and IT:
The salient points of the Division of Examination’s (the “Division”) report that relate to Cybersecurity and IT infrastructure include:
- The impact of a data breach typically has consequences that extend beyond the compromised firm, to other market participants and retail investors.
- Over the past year, the sudden shift to a decentralized workforce and remote operations raised new concerns about, among other things, endpoint security, data loss, remote access, use of third-party communication systems and vendor management.
- The Division will review whether firms have taken appropriate measures to: (1) safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access; (2) oversee vendors and service providers; (3) address malicious email activities, such as phishing or account intrusions; (4) respond to incidents, including those related to ransomware attacks; and (5) manage operational risk as a result of dispersed employees in a work-from-home environment.
- Building on the efforts noted above concerning our business continuity plan outreach related to the pandemic, the Division will shift its focus to whether such plans, particularly those of systemically important registrants, account for the growing physical and other relevant risks associated with climate change. The scope of these examinations will be similar to the post-Hurricane Sandy work of the Division and other regulators, with a heightened focus on the maturation and improvements to these plans over the intervening years.
Access the full 2021 Examination Priorities Document published by the Commission here.
Key Takeaways from Align:
Cybersecurity remains a top-line, systemic market risk on which both regulators and the institutional investment management community are acutely dialed in.
- For the 8th straight year, cybersecurity has remained a top regulatory risk. The Commission continues to shape the evolving contours of what control elements constitute a model cybersecurity program.
- The Division correctly acknowledges that a singular breach has consequences that go far beyond the firm being compromised, which demonstrates the systemic nature of cybersecurity risk.
- Ultimately, cybersecurity is a pervasive and omnipresent market risk that goes far beyond the actual quantum of investor data that a manager (or its service providers) stores or maintains within its systems and workflows and falls equally but proportionately on every investment manager.
Underlying IT infrastructure has never been more critical to the success (or failure) of an investment management firm.
- The shift to a distributed workforce was an overarching concern among many, if not all, of the exam priorities as the remote work model raises visceral risk management issues and critical considerations on firms’ operational controls, compliance programs and governance structures.
- As firms have moved from the corner office to the home office, there is a renewed focus on identifying and implementing appropriate cybersecurity controls. However, since the underlying IT infrastructure provides the construct from which all cybersecurity, operational, work-flow and risk management controls are fashioned, it can no longer be an afterthought.
- A discernable, defensible IT infrastructure is arguably the most consequential decision a fund manager can make as it affects virtually every aspect of a firm’s business.
- To learn more about Align's Cybersecurity Advisory Practice, visit here.
- Download the whitepaper on Cyber Security Awareness.