The Securities and Exchange Commission’s (SEC’s) Office of Compliance Inspections and Examinations (OCIE) has launched a third cybersecurity sweep, announced by deputy director Kristin Snyder, on March 19th at the Investment Company Institute’s 2019 Mutual Funds and Investment Management Conference in San Diego, California. The third cybersecurity sweep will focus primarily on cybersecurity practices at investment advisers, encompassing firms with multiple branch offices and those involved in recent merger and acquisitions (M&As). Because of the fundamental and operational changes firms experience during M&A, complexities arise, risk exposure increases and vulnerabilities surface if cybersecurity is not addressed on the onset and with a comprehensive approach.
This reverberates with the SEC’s 2019 examination priorities, whereupon the agency communicated it would emphasize these focal areas at advisers and urged them to actively and effectively manage cyber-related issues and operational risk.
Align recommends that all investment advisers with multiple branch offices and those who experienced recent mergers, or other business combinations, should focus their efforts on the “cyber six,” which includes:
- Access Rights and Controls
- Data Loss Prevention
- Vendor Management
- Employee Training
- Incident Response
Furthermore, Align extrapolates from this that private equity firms that are integrating the IT structure of their portfolio companies will be of similar interest and certainly on the SEC’s radar.