On August 12th, 2020, the U.S. Security and Exchange Commission’s (SEC) Office of Compliance Inspectors and Examinations (OCIE) issued a Risk Alert on COVID-19 related risks.
John Araneo, Managing Director of Cybersecurity and General Counsel of Align, and Vinod Paul, Chief Operating Officer, have summarized the Risk Alert’s salient points and outlined practical guidance in today’s blog.
Acknowledging the various COVID-19-related risks and issues faced by SEC-registered investment advisers (RIAs) and Broker-Dealers (together “Registrants”), OCIE recommends that Registrants assess their practices and take active steps, if necessary, to address risks in the following areas:
Protection of investors’ assets.
- Implementing additional controls to validate the identity of the investor and authenticity of disbursement instructions, which encompasses whether the person is authorized to make such a request and that bank account details (names and numbers) are accurate; and
- Designate a trusted contact person in place, particularly for seniors and other vulnerable investors.
Supervision of personnel.
- Ensure supervisors have the same level of oversight and interaction with supervised persons when they are working remotely;
- Address controls of supervised persons making securities’ recommendations in market sectors that have experienced higher volatility;
- Ensure that the oversight and due diligence reviews of third-party managers, investments and portfolio holding companies continue even in the situation of limited onsite due diligence;
- Continue supervision of communications or transactions occurring outside of the Registrant firm’s systems due to employees working from remote locations and utilizing personal devices; and
- Conduct trade surveillance, including reviews of affiliated, cross and aberrational trading, particularly in high volume investments.
Practices related to fees, expenses and financial transactions.
- Assessing conditions that may increase the potential for misconduct related to financial conflicts of interest, accurate calculation of fees and expenses, and failure to refund prepaid fees and expenses when a client terminates their account;
- Validating the accuracy of disclosures, calculations and valuations pertaining to fees and expenses; and
- Assessing transactions that resulted in high fees and expenses to investors and making sure that they are in the best interest of investors.
- Ensure oversight of investments in consideration of the potentially increased risk of investment fraud; and
- Report suspicious transactions and potential fraud to the SEC.
Business continuity planning (BCP) practices.
- Reassess supervisory policies and procedures applicable to “normal operating conditions” during periods of extended remote operations;
- Activate measures to:
- secure servers and systems;
- maintain the integrity of vacated facilities;
- infrastructure relocation and support staff operating from remote sites; and
- improve protection of data in remote locations.
- Confirm that the business continuity plans (BCPs) address redundancies for critical operations, personnel succession plans and mission-critical services.
Protection of investors’ data and other sensitive information.
- Address vulnerabilities around the potential loss of sensitive information, including PII, resulting from:
- remote access to networks and the utilization of web-based applications;
- use of videoconferencing;
- increased use of personally-owned devices; and
- changes in controls over physical records, such as sensitive documents printed at remote locations.
- Address conditions that may create more opportunities for fraudsters to use phishing and other means to improperly access systems and accounts by impersonating firms’ employees, websites and/or investors;
- Address identity protection practices;
- Provide additional training related to:
- phishing and other targeted cyber-attacks;
- sharing information while using certain remote systems (e.g., non-secure web-based video chat);
- encrypting documents and using password-protected systems; and
- destroying physical records at remote locations.
- Conduct heightened reviews of personnel access rights and controls as individuals take on new or expanded roles to maintain business operations;
- Use of validated encryption technologies to protect communications and data stored on all devices, including personally-owned devices;
- Ensure that remote access servers are secured adequately and kept fully patched;
- Enhance system access security, such as requiring the use of multi-factor authentication; and
- Address new or additional cyber-related issues related to third parties, which may also be operating remotely when accessing firms’ systems.
OCIE’s most recent Risk Alert addresses several COVID-related issues for Registrants to consider, including a re-evaluation of its IT environment, its DR/BCP policies and, of course, its Cybersecurity posture.
The Align team leads have been working with Registrants for well over 20 years. They are well suited to provide appropriately-scaled solutions, and timely advice to Registrants who are looking to ensure their IT, BCP/DR and Cybersecurity controls are meeting the prevailing regulatory requirement, technology standards and investor/ODD expectations.
Please note the foregoing is provided as guidance and informational purposes only, and we invite you to reach out to our Cybersecurity Advisory Team if you have any specific questions or concerns.