Regulatory guidance on cybersecurity shows little sign of abating and additional governmental legislation continues to complicate every CCO’s day. With the regulatory landscape continuing to grow more complex, we pause to ask the question: Have you thought about your next presence exam?
Preparing today can be the most important step you as a CCO can take. Your diligence and forethought may influence the tenor of the exam process and the perception of the maturity of your Compliance and IT Program, whether or not regulators decide to press deeper into IT issues. Regardless of the nature of the tempest a regulatory exam might create, building a program that can withstand the storm (cyber or otherwise) will protect your business, your firm’s reputation, and most importantly, your clients.
Read on for 5 questions you must be prepared to answer in your next exam…
The Big Picture
Fortunately for all participants, across industries, the still-evolving “standard of care” that is emerging from the hodgepodge of regulatory guidance and State law calls for a “risk-based” process to determine your firm’s potential cybersecurity issues. In other words, rather than legislating a strict control-based approach, as is the case for some industries (such as retail and healthcare, with PCI-DSS and HIPAA/HITECH, respectively), most firms can begin their process from what should be familiar territory: determining cybersecurity risks according to the business model, size and scope, and value delivery through the use of IT services. We don’t mean to oversimplify the concept as Compliance with Federal and State Rules and Regulations should be a cornerstone of your process, however risk assessment as a starting point, as emphasized in the Division of Investment Management’s April 2015 Guidance Update, makes sense from both the standpoint of addressing Regulatory and Business Risk.
Additionally, and while from a best practice standpoint cybersecurity consideration is an ongoing process, if there was ever a time to connect Cybersecurity as a focus area to your 206(4)-7 Annual Review Process, it is now.
Thus, the starting point for the Cybersecurity or IT-based examination of the future begins at the high-level, ensuring that you are speaking the regulators’ language and have addressed foundational concerns.
- Who is your Chief Information Security Officer (CISO) or who, at your firm, performs a similar function? This question comes directly from the SEC Cybersecurity Sweep Document Request, but have you considered that this person needs to have an equal understanding of regulatory and granular IT issues? What type of relationship does this person have with Compliance and Legal? Is this person empowered to escalate concerns to the Board of Directors or Executive Management? Finally, is this person prepared to be interviewed as part of the examination process? If you are drawing a blank on who this person might be, or answering no to most of these questions, we would recommend a review of the role and responsibilities as a starting point.
- Do you have a risk identification and communication mechanism such as an Information Security Committee or IT Steering Committee which considers cybersecurity risk? Has this committee put the latest SEC and Department of Justice guidance on the table for consideration? Are various, periodic risk assessments addressed through this committee? (See “Is Risk Assessment Mandatory?” for more.) As a best practice, membership in the committee may include Compliance, Legal, and some Executive Management. Of course, some cautious documentation of agenda and process should be maintained.
- Have you had Breach or the unauthorized access to information/data and how did you manage this? The follow-on will likely be: may we see your Incident Log and documentation of any such incidents? These questions truly open Pandora’s Box concerning process, Response and Recovery Plans, and your internal management of such issues. This is very tricky territory related to timely disclosure and regulatory requirements for managing breach. Keep in mind the litany of existing Rules and Regulations tied to cybersecurity failures through the Division of Investment Management’s Guidance Alert, with special attention to the notion that fraud (as related to the Investment Adviser’s Act of 1940) may also come into play if internal incidents are mismanaged. The notion of disruption tied to breach can easily be expanded to include errors in critical systems related to your business processes. Beyond data loss issues, have there been other errors in critical areas – your OMS, quantitative processes, and other systems tied to compliance functions?
- Do you have a Response/Recovery Plan? Is it real and have you tested and documented it? The Department of Justice Guidance “Best Practices for Victim Response and Reporting of Cyber Incidents” has raised the bar on this issue to include more granular points of detailed digital forensics pre-breach and post-breach remediation steps. While it may take a while, we strongly believe that a request for your Incident Response and Recovery Plan(s) will become standard in Exam Document Requests. Additionally, your logging, testing, and documentation regarding incidents will be of particular interest to regulators. If you have not addressed this issue, or are not sure how to proceed with planning or documentation, we recommend you obtain assistance wherever necessary. This is not an issue to be ignored.
- Do you utilize any existing cybersecurity or IT security frameworks or standards in administering your program? With the NIST Cybersecurity Framework referenced in virtually all guidance of the past year and across industries, implementation of such a framework would clearly be viewed favorably by regulators. We view the Framework as the current dragon-slayer in that, if your firm has taken the trouble to fully implement it, you are demonstrating to regulators, customers, and business partners that you are taking cybersecurity and risk management seriously. This demonstrable effort can go a long way to allaying concerns from regulators, customers, and vendors, and is a clear indication of your efforts to be a good corporate citizen.
These five questions, which have been addressed in past sweep efforts, corresponding results, and the subcategories of the NIST Cybersecurity Framework, are a limited, high-level review of your program at large. If you can answer this set of questions concisely, you are likely going to steer the exam process away from the rocks of the deeper dive examination.
There are many other issues which are of critical importance to regulators such as Third-Party Vendor Due Diligence, Data Classification (which should be rolled into your periodic risk assessments), Encryption and Data Loss Prevention, and monitoring of high-risk employees. The list goes on but if you can start out the message on the right foot, even including such foundational elements in your initial presentation to regulators, you will be headed in the right direction.
If you’re not sure where to start or how to implement these suggestions at your firm, please contact me for a complimentary conference call. We are pleased to discuss your firm’s specific circumstances in a confidential, judgement-free environment! I can be reached at Tim@ArtemisSecure.com or 860.248.4100 x803.
For Further Reading: (Links Will Open in a New Window)
Is Risk Assessment Mandatory Via Recent SEC/FINRA Guidance?
Division of Investment Management’s Recent Guidance Update