On January 27th 2020 the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued examination observations related to cybersecurity and operational resiliency practices taken by market participants.
OCIE observed a wide range of industry practices which included governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. Not all of the practices are necessary for all organizations but the observations are available so that an organization can enhance their cybersecurity and operational resiliency.
So, how does this affect the RIA?
For RIAs, it is important to take a look at these different areas in detail and determine if your practices are air tight. These observations give you an opportunity to ramp up your own practices and mitigate any risk that might currently exist.
Here’s a quick breakdown of the OCIE’s observations:
Governance and Risk Management:
Per their observations, they found that organizations with the most effective practices had leadership that was committed to the cause. The organizations had risk assessments, written policies and procedures for those risks, and implementation processes in place.
Access Rights and Controls:
OCIE found that these organizations allowed the appropriate users accessibility to certain systems based on their jobs and also limited access to only authorized users, which involved monitoring accesses.
Data Loss Prevention:
These organizations took measures to avoid data loss prevention which includes processes that protect sensitive data from unauthorized users.
Organizations with effective programs and practices know that mobile security bring on additional vulnerabilities. Therefore they have policies and procedures built around mobile device usage. They also have a management system in place, proper security measures and training for employees.
Incident Response and Resiliency:
These organizations detect incidents in a timely manner and respond with the appropriate corrective action. The company should be able to correct the incident quickly so that their is little down time before information (client information) is back to safety.
These organizations conduct due diligence on vendors, monitor vendors and contract terms, and assess vendor relationships in regards to risk and protection of information.
Training and Awareness:
Training is found within these organizations to provide employees with information around risks and responsibilities while bringing awareness to cyber threats.