Translating the OCIE Requirements

Article written by Brian Edelman, FCI CEO.
Link to the article: Advisor Solutions by TD Ameritrade.

Cybersecurity is among the Securities and Exchange Commission’s top examination priorities for 2017. Unfortunately, most registered investment advisory (RIA) firms aren’t confident that they could pass an SEC cybersecurity exam, according to Is Your Data Safe: The 2016 Financial Advisor Cybersecurity Assessment by the Financial Planning Association (FPA). The SEC’s Office of Compliance Inspections and Examinations (OCIE) has laid out exactly what examiners will be looking for, but it can be a daunting list for RIAs. To help get firms up to speed, Brian Edelman, CEO of Financial Computer, explains what the regulators are looking for within six designated areas.

1. Government and Risk Assessment: Regulators want proof that you have conducted a thorough analysis of your systems to identify-and close-any vulnerabilities, and that you have a written cybersecurity policy that is tailored to your business.

2. Access Rights and Controls: Document who has access to what data and how that access is controlled. Do you have multi-level logins and authentication? Are team members allowed to access that data remotely? If so, are they allowed to use public wi-fi, and can they use their personal computers or smartphones? (Hint: No and no. Safely Bring your Own Device to Work, from the Q2 2016 issue of Advisor Solutions.)

3. Data Loss Prevention: This includes the full laundry list of security software, Edelman says: whole disc encryption, anti-virus and anti-malware software, a personal firewall, cybersecurity monitoring, and encrypted backups. Examiners may also look at how firms monitor the content transferred outside of the firm, either by employees or vendors, via email or uploads.

4. Vendor Management: Using outside vendors does not shift your fiduciary responsibility to protect client data. The OCIE wants to see your due diligence in vetting third-party vendors and proof that they are fulfilling their contracts in relation to client data.

5. Training: Employees are your first line of defense against cyber attacks, so it’s critical that they are trained in how to spot suspicious activity and when to alert the IT department. You should also expect regulators to review how cybersecurity training is built into each employee and vendor’s regular, ongoing training.

6. Incidence Response: This outlines what steps the firm and its staff will take in the event of a cybersecurity attack. Who needs to be alerted and in what order? Who is responsible for making each phone call? You also need to show that you regularly run tests on your system to make sure it works.

No, following these guidelines won’t eliminate the risk of a cyberattack. But they can help prepare you and your firm should an attack occur, Edelman notes.