As 2020 looms on the horizon, Chief Compliance Officers (“CCOs”) should begin laying out their compliance roadmaps for the New Year. An area of review that should undoubtedly be a part of CCOs’ 2020 planning is cybersecurity. Cybersecurity remained at the top of the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations’ (“OCIE”) examination priorities for 2019 and there is no reason to doubt it will remain so in 2020 as cyber-threats continue to grow and become more sophisticated.
The use of technology in the financial industry has become much more commonplace over the last few years, which means the potential for experiencing a cyberattack is a very real risk. For that reason, it’s extremely important that CCOs and Information Security Officers (“ISOs”) review their firm’s cybersecurity program at least annually. A review should not only consider the extant risks surrounding the firm’s IT infrastructure and think about the improvement of existing controls, but also what technology changes are being contemplated for the firm during the next year.
In this Risk Management Update, we discuss cybersecurity considerations for 2020, along with steps to help ensure you are well prepared.
Considerations for 2020
As our access to complex technology continues to grow with such advances as the “Internet of Things” (e.g., mobile access for security systems, lights, and climate controls) and Artificial Intelligence (“AI”), so does our susceptibility to cyber-threats. It is anticipated that 2020 will continue to see cyberattacks grow in complexity and frequency. For example, Ransomware attacks are becoming more sophisticated and targeted, and 2020 will most likely bring more impactful Ransomware attacks.
The California Consumer Privacy Act
Regulators have been more focused on consumer protections in cyber-space. For example, in 2018 the European Union adopted the General Data Protection Regulation (“GDPR “), which created regulations that require all companies (regardless of location) that collect or process personal identifying information (“PII”) of any EU residents to implement notification, consent, and protection protocols. California has followed suit, and enacted the California Consumer Privacy Act (“CCPA”), which is designed to protect consumer rights of those "natural persons" who are residents of California. The CCPA has specific thresholds for the businesses that collect consumer data, but the impact to these businesses that collect and store PII can be extensive, so it’s important for CCOs and ISOs to consider the potential impacts and determine whether their cybersecurity policies and procedures and incident response plans properly address the privacy mandates under the CCPA.
When Was The Last Time You Reviewed Your Cybersecurity Policies and Procedures?
The basis of any good cybersecurity program starts with a firm’s policies and procedures. As is the case with other areas of compliance, cybersecurity policies and procedures establish the framework from which the CCO and ISO are able to implement and enforce the firm’s cybersecurity program and strengthen and develop appropriate controls. However, a firm’s cybersecurity policies and procedures are only as effective as they are current to a firm’s business practices, and stale cybersecurity policies and procedures can increase a firm’s vulnerability to cyber-threats exponentially.
In addition to the required annual review, a firm’s cybersecurity policies and procedures should be reviewed any time there is a change to the firm’s electronic landscape and when new cyber threats appear. CCOs and ISOs should consider using OCIE’s Risk Alerts and the SEC’s Division of Investment Management’s (“IM”) Guidance reports as tools in evaluating the adequacy and efficacy of the firm’s policies and procedures. For example, in their August 2017 Risk Alert, OCIE outlined elements of robust policies and procedures, which included:
- Maintenance of an inventory of data, information, and vendors
- Detailed cybersecurity-related instructions
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities
- Established and enforced controls to access data and systems
- Mandatory employee training
- Engaged senior management
In their “2019 Examination Priorities” list, OCIE laid out their focal areas for reviews of investment adviser cybersecurity including “governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.” These six areas highlight essential components of a firm’s cybersecurity program and are important foundational components for CCOs and ISOs to consider when reviewing policies and procedures.
Additionally, the CCO and ISO should consider reviewing the outcomes of publicized cyberattacks to determine if vulnerabilities that were exploited in those attacks are also exploitable in their firm’s existing IT infrastructure. For example, in August 2019, a number of municipalities in Texas were hit by a rash of ransomware attacks which crippled key components of their infrastructure and not only highlighted vulnerabilities in their systems, but also issues with cybersecurity training for their employees, as well as failure to adequately back-up their systems in order to restore them to working order. Examples like these can serve as important points of comparison to determine if a firm’s cybersecurity policies and procedures adequately address training, incident response plans, data governance, and access rights.
When Did You Last Perform a Cybersecurity Risk Assessment?
Risk assessments are necessary tools that assist firms with identifying vulnerabilities in IT infrastructures and can help improve and implement additional controls in a cybersecurity program. A risk assessment should be performed at least annually, and if it has never been performed, then it should be done so as soon as possible. CCOs and ISOs should develop a testing plan based not only on the firm’s cybersecurity policies and procedures, but also on current cyber-threats and vulnerabilities, and identify low, medium, and high risks within the aforementioned areas of governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.
Additionally, firms should look at external resources such as the SEC’s “Cybersecurity and You” resource (https://www.sec.gov/spotlight/cybersecurity), as well as information issued by the Cybersecurity and Infrastructure Security Agency (“CISA”, https://www.us-cert.gov/), which provide guidance for small to mid-size businesses on what to evaluate when conducting cybersecurity risk assessments. Also, Core Compliance recently published Risk Management Updates on end of year compliance checklist and cybersecurity considerations, and both provide considerations for risk assessments.
Are You Prepared for a Cyber-Attack?
Last, but certainly not least is ensuring that the firm has a detailed Incident Response Plan (“IRP”) in place that outlines how the firm will identify, contain, eradicate, recover, and review cyberattacks. If the firm has not created an IRP, then it is essential to do so as soon as possible. Not only do the regulators expect firms to have IRPs, but importantly, they are crucial in addressing and rebuilding a Firm’s IT infrastructure in the event of a cyberattack.
Cybersecurity is an essential part of a firm’s end-of-year planning and should be done with the utmost care. CCOs and ISOs need to ensure that they have adequately reviewed their firm’s cybersecurity policies and procedures, performed robust risk assessments, and conducted reviews of their IRPs so that the firm is well-prepared when cyberattacks strike, and also when regulators conduct exams.
For more information on, or assistance with conducting reviews of your cybersecurity program or other compliance areas, please contact us at firstname.lastname@example.org, at (619) 278- 0020, or visit us at www.corecls.com.
Author: Adam Stutz, Compliance Consultant; Editor: Tina Mitchell, Lead Sr. Compliance Consultant Core Compliance & Legal Services, Inc. (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
Jacko, Michelle. “The California Consumer Privacy Act (CCPA): What You Should Do Now to Prepare.” Jacko Law Group, PC, June 2019, https://www.jackolg.com/tip-The-California-Consumer-Privacy-Act-CCPA-What-You-Should-Do-Now-to-Prepare.
 Most recent are: “Risk Alert: Observations from Cybersecurity Examinations.” U.S. Securities and Exchange Commission, 7 Aug. 2017, www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.; and Division of Investment Management. “IM Guidance Update: Cybersecurity Guidance.” U.S. Securities and Exchange Commission, Apr. 2015, www.sec.gov/investment/im-guidance-2015-02.pdf.
 Ibid. pgs. 4-5
 “2019 Examination Priorities.” Office of Compliance Inspections and Examinations, U.S. Securities and Exchange Commission, 20 Dec. 2018, https://www.sec.gov/files/OCIE%202019%20Priorities.pdf.