Is your Cybersecurity Program Air Tight?
On January 27th, 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued examination observations related to cybersecurity and operational resiliency practices taken by market participants.
OCIE observed a wide range of industry practices, including governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. Not all of the practices are necessary for all organizations, but the observations are available to enhance their cybersecurity and operational resiliency.
So, how does this affect the RIA?
For RIAs, it is important to look at these different areas in detail and determine if your practices are airtight. These observations give you an opportunity to ramp up your own practices and mitigate any risk that might currently exist.
Here’s a quick breakdown of the OCIE’s observations:
Governance and Risk Management:
Per their observations, they found that organizations with the most effective practices had leadership that was committed to the cause. The organizations had risk assessments, written policies and procedures for those risks, and implementation processes in place.
Access Rights and Controls:
OCIE found that these organizations allowed the appropriate users accessibility to certain systems based on their jobs and limited access to only authorized users, which involved monitoring accesses.
Data Loss Prevention:
These organizations took measures to prevent data loss, including processes that protect sensitive data from unauthorized users.
Mobile Security:
Organizations with effective programs and practices know that mobile security brings additional vulnerabilities. Therefore, they have policies and procedures built around mobile device usage. They also have a management system, proper security measures, and employee training.
Incident Response and Resiliency:
These organizations detect incidents in a timely manner and respond with the appropriate corrective action. The company should be able to correct the incident quickly so that there is little downtime before information (client information) is back to safety.
Vendor Management:
These organizations conduct due diligence on vendors, monitor vendors and contract terms, and assess vendor relationships regarding risk and protection of information.
Training and Awareness:
Training is found within these organizations to provide employees with information about risks and responsibilities while bringing awareness to cyber threats.
For more detailed information on each of these areas, click here!
Author Bio
Leila Shaver is the Founder of My RIA Lawyer, a law firm that provides compliance and legal consulting for financial institutions. With extensive experience as a securities attorney and compliance expert, she has served as Chief Compliance Officer and General Counsel to RIAs, BDs, and TAMPs with billions in assets under management.
Leila understands the challenges RIAs face and is committed to helping RIAs streamline their processes, mitigate risks, and ensure compliance with regulatory requirements. She received her Juris Doctor from Atlanta’s John Marshall Law School and is a West Georgia Young Lawyers’ Association member. Leila has received numerous accolades for her work, including the Carroll County Bar Association’s Outstanding Young Lawyer Award in 2017.
