SEC Exam Prep Focuses on Consultancy Resilience | Thomson Reuters Regulatory watch and compliance learning


An investment adviser’s ability to protect sensitive records and continue mission-critical services during stressful times will be on the Securities and Exchange Commission’s review docket in 2022

The application of information security controls is essential to ensure business continuity, according to the list of SEC review priorities for 2022, released on March 30, later than usual. This year’s investment adviser regulatory reviews will focus on ensuring that appropriate steps have been taken to protect company data, records and assets.

This is especially true amid heightened cyber threats following Russia’s military invasion of Ukraine, as US federal and local regulators have warned, sometimes with particular reference to the financial sector. Review teams will also focus on business continuity plans and the impact of climate risk and substantial disruptions to normal business operations.

Therefore, a review of the firm’s plans for securing sensitive information and ensuring firm resiliency will help a firm better prepare for upcoming reviews.

Business Continuity

Investment advisors have a fiduciary duty to protect the interests of clients against risk due to an advisor’s inability to provide services after an interruption. To meet this obligation, advisors have typically created written plans to deal with various business disruptions. These plans typically incorporate disruption scenarios, backup locations, alternative communication policies, and ongoing testing and training.

The recent review priorities document highlighted that the application of information security controls is critical to ensuring business continuity. A loss of data or a breach of a company’s system can make non-public information vulnerable to cybercrime and can impede the consulting company’s continued services.

“Viligent data protection is also essential to the functioning of financial markets and the confidence of its participants,” the SEC said in the review priorities document. “Failure to prevent the unauthorized access, use, disclosure, disruption, alteration, inspection, recording or destruction of sensitive documents may have consequences that extend beyond the compromised business to other market participants and retail investors.”

Information Security and Operational Resilience

When an SEC review team examines information security controls, they will focus on whether advisors have taken steps to:

  • Protect client accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access. The steps to be taken to meet this rather general guideline may depend on whether the firm is a broker or an adviser and its relationship to the client. Investment advisers must have robust policies and procedures that include, among other things, initial and ongoing due diligence of any interface or software in which advising clients access their accounts remotely. Advisors who allow their employees to use mobile devices for business purposes and access customer data should have mobile device management software in place to prevent intrusions.
  • Supervise suppliers and service providers. External service providers can increase efficiency, but they can be a source of data breaches and cybersecurity risks that affect the advisor. Many external service providers may receive, store and process advisor information and have access to advisors’ internal information systems. In a recent cybersecurity rule proposal, the SEC requires a vendor management program that would include understanding all facets of the vendor contract and implementing vendor monitoring and testing programs.
  • Deal with malicious email activity, such as phishing or account breaches. The risks of email scams like phishing are becoming more common, and advisors need to be prepared for an imminent attempt. Phishing scams are constantly evolving and are designed to infiltrate the recipient’s computer network and obtain information that needs to be protected. The best defense is a comprehensive company employee training plan that will help them identify malicious emails and follow a communication and response plan if an attack is successful.
  • Respond to incidents, including those related to ransomware attacks. A ransomware attack uses malicious software designed to provide an unauthorized actor with access to institutions’ systems and to prevent an institution from using those systems until a ransom is paid. Therefore, the foundation of an adequate defense against ransomware attacks are policies and procedures that include incident response plans and operational resilience. Resilience can come from patch management programs, user access controls, securing networks, and user training.
  • Identify and detect red flags related to identity theft. An advisor who has policies and procedures in place to protect a company’s nonpublic information in order to comply with SP and S-ID regulations will be best prepared. Both regulations govern the handling of non-public personal information and offer guidance to detect, prevent and mitigate identity theft.
  • Manage operational risk resulting from a dispersed workforce in a work-from-home environment. The global COVID-19 pandemic has changed the way many businesses operate. Even though pandemic restrictions have been lifted, many company employees continue to work from home. Therefore, training employees and adopting tools to ensure remote risks are addressed remain crucial for compliance. A business can be better prepared by identifying challenges or issues that arise during the first days and weeks of the COVID-19 lockdown and showing how the business has adapted and made changes to address those issues. along the way.

Finally, the SEC will continue to review advisors’ business continuity and disaster recovery plans, with particular emphasis on the impact of climate risk and material disruptions to normal business operations. The scope of these reviews will focus on the maturation and improvements of business continuity and disaster recovery plans over the years, as well as the resilience of these advisors as organizations to anticipate, prepare, respond and adapt to sudden disruptions and gradual changes resulting from climate-related situations.

[View source.]


About Author

Comments are closed.