Contact us: 888-996-4642 | info@itegria.com

Understanding the “Cyber 6” Areas of Focus for the SEC Cyber Security Exams

There has been a lot of press and information about the growing number and complexity of cyber security risks facing RIA firms. So much so, that the Securities and Exchange Commission (SEC) has made cyber security a focus for their audits and exams in 2016. To help Registered Investment Advisor (RIA) firms take the right steps to protect their clients’ data, they have distilled the National Institute of Standards and Technology (NIST)’s Cyber Framework down to six focus areas for the OCIE exams.

At first glance, the “Cyber 6” list looks daunting but we wanted to break it down for you to understand what the SEC is looking for in each of its six areas of focus.

Don’t become overwhelmed and paralyzed. Each of these standards can be tackled proactively, by adopting an overall commitment to cyber security by all of your people and using technology tools to protect your data. Documentation for how you address each of these focus areas will be important for the exam.

Here is a breakdown of the OCIE’s “Cyber 6” Exam Standards:

Governance and Risk Assessment.
The SEC wants to see a formal plan of action or program for how your firm will address cyber security risks. What policies and procedures are in place to protect your client’s data? Who in the firm is accountable for compliance and security? What operating model or structure is in place to protect your network? What employee training has been done? How often will your network be tested, or policies updated? Documenting how your firm will address and govern cyber security risks is the key here.

Access Rights and Controls.
Examiners will be looking at the basic controls in place to prevent unauthorized access to your network. How is the network protected? What controls are in place regarding access to your network? Is your firm using simple passwords or multifactor authentication? How is access protected when employees travel or work remotely? How often are access rights updated when employees are added to or leave the firm? Again, having policies and procedures in place and documented is important.

Data Loss and Controls.
What is your firm’s Disaster Recovery Policy and Procedures? What is the total expected downtime for your firm in the event your entire infrastructure is lost and has to be recovered? What are your plans for communicating with your clients and transacting business in this scenario? Are these policies and procedures tested and updated?

Vendor Management.
If you’ve read the news on some of the major cyber security breaches in the past two years, many of these compromises occurred because vendors working with the firm did not have the same level of security or standards in place. It is imperative that your firm assess the security level and policies of vendors who have access to your network. The SEC will want to see how you select vendors, conduct due diligence, and monitor their access to your network. Keep in mind that this applies not only to any outsourced IT management firms but also any firm with access to your network, like a payroll services provider, printer and scanner vendors, HVAC engineers, etc.

Training.
At ĪTEGRIA®, we believe that cyber security is a social issue, not a technology issue. For an RIA firm to truly protect itself, it needs to start from within. Every employee from the CEO on down needs to understand cyber risks, and embrace the controls necessary to protect the firm. Training is a key component of that. We recommend training every member of the firm, and even vendors, on what behaviors are expected of them to protect the network, how to identify a breach and what to do if they think the network has been compromised. Explain the potential impact a cyber attack may have on your firm’s operations and reputation, let alone what it might mean for your customers. Spell out employee obligations, particularly with the use of mobile phones or using Wi-Fi in public areas like hotels or conferences. The SEC has not defined what kind or the amount of training needed, but it will be important to show examiners that you have a training program in place.

Incident Response.
There are three key components to show the SEC how you plan to respond to a cyber attack. First is identification. How will you know if your network has been compromised? It’s not always easy to tell. You will need to demonstrate what measures are in place to identify a breach. Second is data collection. You will need to demonstrate that you are logging enough data on your network activity that a forensic team can see where the network was breached and what was taken. Third is what action will you take if there has been a breach. You will need to have identified a trained forensic team to call, in the case of a compromise.

The main thing is that the SEC wants to see that you have taken action to protect your firm and your clients’ data and have documentation to prove it.

To help RIA firms comply with the “Cyber 6” areas of focus for the OCIE exams in 2016, we have launched our new solution AdvisorGuard™, designed to give you the information to protect your firm and help meet the cyber security compliance mandates. Using a combination of best-in-industry diagnostic tools to identify threats to your system, this service will scan your system monthly to identify vulnerabilities; identify, track, and block suspicious URLs; as well as prevent malicious software from shutting down your system or creating a gateway for attackers to access sensitive data. AdvisorGuard will also give your system an extra layer of protection by deploying a multifactor authentication methodology to all of your workstations and servers.

If you would like more information about how our new solution AdvisorGuard helps you protect your firm, contact us here or give us a call at 224-563-3602 with any questions.