Preparing for SEC exam focus on adviser firms’ resiliency

Applying information security controls is critical to ensuring business continuity, according to the SEC’s list of exam priorities for 2022, released March 30, which was later than usual. Regulatory exams of investment advisers this year will seek to ensure appropriate measures have been taken to protect the firm’s data, records, and assets.

This is especially true amid elevated cybersecurity threats following Russia’s military invasion of Ukraine, as US federal and local regulators have warned, at times with particular reference to the financial industry. The exam teams will also focus on business continuity plans and the impact of climate risk and substantial disruptions to normal business operations.

Therefore, a review of firm plans to secure sensitive information and ensure firm resiliency will help a firm better prepare for upcoming examinations.

Business continuity

Investment advisers have a fiduciary obligation to protect client interests from being placed at risk because of an adviser’s inability to provide services after an interruption. To meet this obligation, advisers typically have created written plans to address various business disruptions. Such plans usually incorporate disruption scenarios, back-up locations, alternate communication policies, and ongoing testing and training.

The recent exam priorities document highlighted that the application of information security controls is critical to ensuring business continuity. A loss of data or breach of a firm’s system can make non-public information susceptible to cybercrime and can hamper the ongoing services of the advisory firm.

“Vigilant protection of data is also critical to the operation of the financial markets and the confidence of its participants,” the SEC stated in the exam priorities document. “Failing to prevent unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of sensitive records may have consequences that extend beyond the firm compromised to other market participants and retail investors.”

Information security and operational resiliency

As an SEC exam team reviews information security controls, it will focus on whether advisers have taken measures to:

• • • Safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access. Steps to addressing this rather general directive may depend on whether the firm is a broker-dealer or adviser and its relationship to the client. Investment advisers must have robust policies and procedures that include, among others, initial and ongoing due diligence of any interface or software in which advisory clients remotely access their accounts. Advisers that allow their employees to use mobile devices for business and access client data must have mobile device management software to prevent intrusions.
    • Oversee vendors and service providers. Outside service providers can increase efficiency, but they can be a source of data breaches and cybersecurity risks that impact the adviser. Many of the outside service providers may receive, maintain, and process adviser information and have access to advisers’ internal information systems. In a recent cybersecurity rule proposal, the SEC is requiring a vendor management program that would include understanding all facets of the vendor contract and implementing vendor monitoring and testing programs.
    • Address malicious email activities, such as phishing or account intrusions. The risks of email scams like phishing are becoming more common, and advisers must be prepared for an impending attempt. Phishing scams are ever-changing and are designed to infiltrate the computer network of the recipient and gain information that should be protected. The best defense is a comprehensive plan for training firm employees that will help them identify the malicious emails and follow a plan of communication and response if an attack is successful.
    • Respond to incidents, including those related to ransomware attacks. A ransomware attack uses malware designed to provide an unauthorized actor access to institutions’ systems and to deny an institution’s use of those systems until a ransom is paid. Therefore, the foundation of an adequate defense against ransomware attacks are policies and procedures that include incident-response plans and operational resiliency. Resiliency may come from patch-management programs, controls for user access, securing networks, and training users.
    • Identify and detect red flags related to identity theft. An adviser with policies and procedures to protect a firm’s non-public information with an aim to be in compliance with Regulations S-P and S-ID will be best prepared. The two regulations govern the treatment of nonpublic personal information and offer a guide to detecting, preventing, and mitigating identity theft.
    • Manage operational risk as a result of a dispersed workforce in a work-from-home environment. The global COVID-19 pandemic changed the way many firms operate. Even though the pandemic restrictions have lifted, many firm employees continue to work-from-home. Therefore, employee training and the adoption of tools to ensure that remote risks are addressed continues to be crucial for compliance. A firm may be best prepared by identifying challenges or issues that arise during the initial days and weeks of COVID-19 lockdowns and show how the firm has adapted and made changes to address those issues along the way.

Finally, the SEC will continue reviewing adviser business continuity and disaster recovery plans, with particular focus on the impact of climate risk and substantial disruptions to normal business operations. The scope of these exams will include a focus on the maturation and improvements to business continuity and disaster recovery plans over the years, as well as these advisers’ resiliency as organizations to anticipate, prepare for, respond to, and adapt to both sudden disruptions and incremental changes stemming from climate-related situations.