Should Current Political Winds Impact Your Approach?
A tremor ripped through the Investment Adviser and Broker-Dealer space last week as President Trump signed an Executive Memorandum, a call to investigate of the “Fiduciary Rule” and a likely precursor to specific attempts to roll back Dodd–Frank “Wall Street Reform and Consumer Protection Act”.
The message is clear that the new administration will oppose legislation and planned reforms which may hit the bottom line of financial services firms. The “big one” or full-scale earthquake, rumbling in the background, is whether the elimination of the “Private Adviser Exemption”, which required thousands of Private Funds to register federally with the SEC, will eventually be killed with Dodd-Frank. While we assume that this possibility is on the burner, registered and non-registered entities alike should continue to focus on the solid business cases for advancing IT Security within their firms.
IT Security is about more than Regulation
Having promoted IT security practices prior to the Federal initiatives, Executive Orders, and strong adoption of Cybersecurity as an issue by FINRA and the SEC, our mantra has consistently been “don’t let the regulatory tail wag the IT security dog.” In other words, regardless of your fears of regulators, the examination process, and punitive enforcements, your firm needs to consider “Common Sense Cybersecurity” based in protecting your clients, employees, and intellectual property from the daily assault of hackers, criminals, and terrorists knocking on your firewall. Several firms we deal with have experienced breach or attack in varying forms, and there is nothing like an IT security event to bring home the reality of the issue we are facing, regardless of pending guidance and concerns over papering the process.
The seminal SEC Cybersecurity Roundtable of March 2014 defined fundamental practices such as the need for organizational leadership, ongoing risk assessments, and raising employee awareness and training. Participants in the Roundtable made strong cases for “not legislating” on cyber as threats and vulnerabilities and technology are evolving too rapidly to require rigid controls. This movement away from specific controls to information security practices was already underway in the private sector as popular and long-standing guidance and frameworks have been transitioning to a more flexible approach in which IT security can be achieved through differing means. The SEC has acted with restraint, staying on the course of “fact finding” through two sweeps and issuing practical guidance. Of course the guidance in and of itself, such as the focus on six core issues in the 2015 Cybersecurity Examination Initiative, has lit a fire under the entire regulated space. The net result is that we see firms as more secure today, assessing internal and external threats and adopting enhancements to their programs.
The Business Case
The twin pillars of IT Security and Business Continuity Practices remain hot-button issues among both institutional investors and a growing population of high-net worth and individual investors. Awareness of cybersecurity risks, the potential for breach of personal and sensitive information, and daily headlines have investors and business partners alike asking for validation of security and disruption practices as part of “diligensing” investment managers. This demand is growing rapidly and today we are fielding as many requests for assistance with providing adequate evidence of process for investors as we are for managing regulatory expectations. Firms that manage capital for public or government entities such as pension funds understand well the push into due diligence of cyber-practices, and this approach is working its way down the food chain to individual investors. Finally, many cyber-insurance providers have incorporated thorough questionnaires designed to test your IT Security program. While we see great variation in these nascent practices, some providers will tell you directly that premiums can be impacted by the information practices you have in place.
Regardless of the regulatory breeze, advisers and broker-dealers should be anticipating a few events coming down the road which can be fuel for discussion at the Information Security Committee:
- Results or commentary from the 2015 Cybersecurity Examination Initiative can be expected in coming months and an assessment of both weaknesses and how some firms are dealing with the six areas of focus: Governance and Risk Assessment; Access Rights and Controls; Data Loss Prevention; Vendor Management; Training; and Incident Response.
- The New York State Department of Financial Services will finalize law with respect to Cybersecurity Requirements for Financial Services Companies. While definitions regarding covered entities may be adjusted, the greater significance is that states are beginning to expand their protections of residents and requiring more accountability within organizations. Cybersecurity is on the agenda in most states, and you can expect to see more states follow the lead of Massachusetts, California, and New York.
- The National Institute of Standards and Technology (NIST) has issued version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF). Keep in mind that the Framework is a foundational document for almost all regulatory guidance (FINRA and SEC) of the past two years. We see firms utilizing the framework as validation for investors and as an internal communication document. Some concepts which are being put forward for review, commentary, and finalization in the Fall of 2017 include:
- Clarification of metrics and measurements for success of information practices including better-defined incorporation of the Framework Implementation Tiers;
- Specificity with respect to subcategories addressing Access and Authorization;
- Expansion of concepts surrounding Supply Chain Risk Management (SCRM), which can be extrapolated to the IT and Operational business partners and services provided by financial firms – or more simply, your vendors.
IT Security is not a partisan issue, though there is plenty of room for discussion and debate regarding how attacks have impacted the political system. The new administration will be proactive and assume the mantle on cyber, even if this means more aggressively shifting responsibility toward the private sector. The problem is still in your hands to determine how best to protect your clients, your employees, your interests, and the reputation of the business. Cyber is one area in which the bad actors won’t take their foot off the accelerator, and, therefore, we recommend you do the same.
Please contact Artemis for a discussion of Common-Sense Cybersecurity at your firm.
Presidential Memorandum on Fiduciary Duty Rule (“Fiduciary Duty vs. Suitability”)
Memorandum for the Heads of Executive Departments and Agencies (“The Freeze”)
SEC 2015 Cybersecurity Examination Initiative
NIST CSF 1.1