The SEC’s Office of Compliance Inspections and Examinations (OCIE) announced a third cybersecurity sweep largely focused on investment advisers. According to published reports, this sweep will primarily look at investment adviser firms that have multiple branch offices or that have been recently involved in mergers and acquisitions.
The sweep was announced in a speech by OCIE Deputy Director Kristin Snyder at the Investment Company Institute’s 2019 Mutual Funds and Investment Management Conference.
This news was not unexpected. OCIE’s 2019 Examination Priorities included cybersecurity as one of the six themes of its 2019 examination efforts. The Examination Priorities report stated:
- OCIE will continue to prioritize cybersecurity in each of its five examination programs. Examinations will focus on, among other things, proper configuration of network storage devices, information security governance generally, and policies and procedures related to retail trading information security. Specific to investment advisers, OCIE will emphasize cybersecurity practices at investment advisers with multiple branch offices, including those that have recently merged with other investment advisers, and continue to focus on, among other areas, governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.
What happens next?
It has been five years since OCIE announced its initial cybersecurity initiative. During that time, the Commission has continually told broker-dealers, investment advisers and investment companies that data protection is one of its highest priorities. While no one can predict what the SEC may do in any given situation, industry observers expect that this third sweep may well result in more enforcement actions than did the previous two.
What should firms do?
If your firm is an investment adviser that has multiple branch offices or has experienced recent M&A activity, you are now on notice that the SEC considers your cybersecurity programs to be particularly risky. You want to be sure to update your cyber risk assessments, improve policies and procedures where needed, and test your systems.
Other brokers, advisers, and investment companies should not make the mistake of thinking that the heat is off while OCIE looks at the targeted advisers. While this group of advisers is the primary focus of the sweep, don’t be lulled into thinking that the SEC won’t take an interest in what other firms are doing.
In our engagements, we often find that the firms they visit do not have active or consistent testing programs. You do not want the SEC to visit your office and discover that cybersecurity procedures have not been thoroughly tested. The SEC has been emphasizing testing for the past five years – they are unlikely to have much sympathy if they examine a firm where testing is haphazard, infrequent or nonexistent.
Find out more on how NRS can help you with your Cybersecurity Compliance needs by going here.