Examination Priorities – Making Your Program Real
The Priorities: More of The Same
The SEC launched its 2017 Exam priorities last week. For the last couple of years, when the long-awaited priorities have been released, I have been reminded of a press conference that the late Presidential candidate and Senator, Fred Thompson gave in 2008. It was expected he would announce that he was dropping out of the race and Chris Matthews at MSNBC cut to the podium with something that could only be described as boyish glee. Senator Thompson approached the podium and, in essence, said “I’m going home for a few days. Stay the course!” and walked away. Chris Matthews sat, jaw agape, for a moment and then said “I think we’ve been snooked.” [i]
Similarly to Mr. Thompson’s non-announcement, the SEC has decided to “stay the course” with respect to cybersecurity without particularly telling us what we should be doing or how we should be protecting our networks, our employees, and our customers. They will, however, continue to “examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls”. [ii]
Reading the Tea Leaves
A simple read of the tea leaves thus informs us that:
- The SEC will continue to incorporate cybersecurity in its exam processes as it can in the field. This has meant and will likely continue to mean that different regions will approach cybersecurity in their own way. We have spoken with clients who have received exams that only made a cursory glance at cybersecurity, and others who have had it be the focus of their exam process, especially on the document production side. It will be a roll of the dice as to what type of exam that you get.
- The brevity of the language used by the SEC suggests focusing on boilerplate policy and procedure and on real-world implementation. As you are developing your cyber program, you need to create it or tailor it to your firm’s specific circumstances and needs. You also need to make sure that what you’re writing down is, in fact, achievable. We have seen firms that get a proverbial head of steam up regarding cybersecurity and craft elaborate policies and excellent control statements, only to fall down on them six months or a year later. Make sure that you do everything that you set out to do and don’t leave your program an empty shell.
A New Twist
- The regulators in years past have made mention of “Multi-Branch Advisers” and their focus on inappropriate trading or other activity that may occur at those branches. The language this year changed somewhat, and the SEC noted that “The use of a branch office model can pose unique risks and challenges to advisers, particularly in the design and implementation of a compliance program…”(emphasis mine)[iii]. We have seen examiners cast a wide net in this direction as well, wanting to know how cybersecurity controls are enforced at remote locations and at home offices. New technologies are making the fusion of these home and remote offices more seamless, but CCOs and Tech teams must be aware that part of a robust cyber program and, by extension, a robust compliance program is ensuring that all avenues and endpoints are covered.
Sizing up the Regulatory Competition
As we all know, the SEC does not operate in a vacuum, and when we review the SEC’s exam priorities with respect to cybersecurity, we will take a look across the general compliance landscape to our friends at FINRA, and the CFTC/NFA.
FINRA continued to beat the drum on cybersecurity, but drew a more clear connection than the SEC to Cybersecurity controls at branch offices, noting that “controls at branch offices, particularly independent contractor branch offices, tend to be weaker than those at firm’s home offices.”[iv] FINRA kept it simple here, mentioning “poor controls” relating to:
- Use of passwords;
- Encryption of data;
- Use of portable storage devices;
- Implementation of patches and virus protection; and
- The physical security of assets and data.
These five areas are the fundamental building blocks of a cybersecurity program, regardless of your regulator. If you do not have these pieces in place at your home office or your branch offices, you can expect to find trouble with your regulator at best, and with hackers at worst.
The NFA Offers Some Help
In 2016, the NFA issued an interpretive notice to several compliance rules, titled Information Systems Security Programs.[v] In an effort to assist its member firms, the NFA published a General Self-examination questionnaire that has been enhanced to include self-assessment on cybersecurity, in line with its ISSP requirement. The questions are not out of the ordinary, and the vast majority would apply to any firm that operates in the financial services space. You can find the questionnaire here: https://www.nfa.futures.org/nfa-compliance/publication-library/self-exam-questionnaire-general.pdf . The Cybersecurity portion begins on Page 13.
Take-Aways and To-Dos
With a new administration, there has been much talk of regulatory roll-back and, indeed, we may see it. However, cybersecurity is a non-partisan issue and is likely to remain front and center. We wouldn’t wait to see how the politics of the issue shake out, because network attackers won’t. So, regardless of your regulator (or regulatorS if you are so lucky), you should be incorporating cybersecurity into your Annual Review process by this point. At the very least we recommend reviewing:
- Policies and Procedures surrounding cybersecurity to determine the effectiveness;
- Your Hardware and Software Inventories for all offices and Locations;
- Your connection points and the controls surrounding them – especially home offices;
- Changes in your business or the information you may store or how you store it;
- Your firm’s physical security controls;
- Your vendor management program;
- Your Incident Response Plan; and
- Your Business Continuity/Disaster Recovery Plan.
Most firms that we talk to these days have many of these items buttoned up already and are looking beyond the fundamentals. They are asking us “What’s next?” The horizon is broad and firms that are looking to advance their programs are focusing on moving their program beyond a paper process. They are looking at tools and systems to identify vulnerabilities, to monitor their networks for intrusion or exfiltration, and to proactively discover new assets and potential problems as they are developing. In short – firms are looking to “make their plans real.” Most firms are surviving by the adage:
You don’t need to be the fastest zebra on the plains, but you don’t want to be the slowest.
[i] Sadly, this clip appears to have been lost to time.
[ii] https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf
[iii] https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf
[iv] http://www.finra.org/sites/default/files/2017-regulatory-and-examination-priorities-letter.pdf
[v] If, as an RIA or BD, you haven’t read this notice yet it provides some good, common-sense thoughts on developing a cybersecurity program. It can be found here: https://www.nfa.futures.org/news/newsNotice.asp?ArticleID=4649