The 206(4)-7 Annual Review and Cybersecurity. Steps for the CCO to Consider and Elements of the Compliance Rule
Now is the perfect time to consider the incorporation of IT Security/Cybersecurity into the Annual Review process. While ownership of the Compliance and the IT functions may belong to management, there is no getting around the fact that the SEC’s version of the Cybersecurity Initiative has been left at the doorstep of the Chief Compliance Officer.
Like many other critical processes, the SEC chose to dump cybersecurity on the CCO. As the gatekeeper to monitoring compliance rules and regulations, there was little choice in the matter. The Commission had failed to address IT Security in any comprehensive manner prior to the Executive Order (13636) of 2013 and was clearly playing catchup on the matter. The rapid deployment of the initiative has reinforced the Commission’s concept that Compliance must include Cybersecurity in the checklist. But how to do so effectively? The best path to approaching Cybersecurity may be simply as another component of the Annual Review.
In fact, the SEC has already inferred that Cybersecurity must be incorporated into the 206(4)-7 process. Going back to the Division of Investment Management’s “Cybersecurity Guidance Alert” of April 2015, the SEC stated that all firms must:
Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.
The DIM guidance also referenced Rule 206(4)-7, and I would remind our readers that the R.T. Jones Enforcement relied heavily on the notion of a failure of policies and procedures. (see our previous post: Lessons from Cyber Enforcement for the CCO.)
We should also mention that in recent years the SEC, outside of Cybersecurity, has focused on 206(4)-7 and tied enforcement to various failures ranging from the recording of significant compliance events to an all-out lack of process with respect to the Annual Review.[1]
Historically, there has been little guidance concerning the Annual Review process, leaving open the methods and means to the firm, provided the basic notion set forth in Rule 206(4)-7(b), that the adviser must review the adequacy and effectiveness of its policies no less frequently than annually, is preserved. There is additional specific guidance from the Compliance Rule to be discussed in light of the recent Cybersecurity initiative, but from a high-level, we recommend that, if you are not yet incorporating IT Security/Cybersecurity into your Annual Review, now is the time.
Elements of 206(4)-7 and Cybersecurity
- The Rule does not require the CCO to perform the Annual Review, him or herself. Although the CCO has been held responsible for egregious failures in previously referenced enforcements (see Equitas), we would interpret this notion to mean that the CCO can delegate responsibility for testing adequacy and effectiveness to IT personnel, consultants, and other hands who, at a minimum, may assist in aggregating monitoring validation of IT Security processes. If the CCO does not have specific IT competence or understanding, this may be essential for the oversight process. At the very least, line up your supporting personnel and resources who will assist you with metrics to support your Review of policies related to IT Security/Cybersecurity.
- The Rule does require that that the adviser maintain any records it creates in the course of conducting an Annual Review (more accurately, the Books and Records Rule 204-2(a)(17)(ii)). This notion highlights the concept that the CCO, with the assistance of personnel, should maintain the monitoring data and information behind the Annual Review of cyber-related policies. We often suggest various forms data which the CCO should aggregate to evidence monitoring adequacy and effectiveness, some of which but not all include:
- Validation of onboarding/offboarding of personnel and corresponding permissions for access to systems and data;
- The periodic audit of Active Directory settings to ensure appropriate permissions;
- Reporting and logging of any systems monitoring and related IT security incidents or events;
- The maintenance of both Business Continuity and IT Response and Recovery testing information and results;
- Due diligence of IT vendors; especially those who maintain client information and PII, which is required by Regulation S-ID, if you are subject to the full extent of the Rule;
- Results of Vulnerability Management testing such as network and system scanning (discussed in Lyman Terni’s recent post, Identifying Vulnerabilities.)
Keep in mind that the SEC examination staff may well look for records as evidence that the Annual Review has been conducted in addition to the Review itself.
- The Rule does require that the adviser establish and implement an effective compliance program which implies that the program be effective at all times. This notion dovetails well with the best practice concept that IT security is an ongoing process. The easiest answer for incorporating cybersecurity in your Annual Review is to lean on the continuous aggregation of monitoring data mentioned above. While the overall process may be reviewed on an annual basis, you are actually confirming adequacy and effectiveness continuously via your monitoring and Information Security Committee meetings – if in place.
- The Cybersecurity Component of your Annual Review could be guided by the SEC’s suggested 5 periodic assessments. We have mentioned the periodic assessments discussed in the Division of Investment Management’s Cybersecurity Guidance in past posts, but we believe that advisers should keep these assessments in the forefront as, sooner or later, the SEC will ask in the examination process; “What are you doing about the 5 recommended assessments?” We are listing them again for your consideration, and the validation of these assessments could satisfy the Annual Review requirement. While this may seem like a daunting task at first, we have provided advisers with a simple, template-based approach with common risk assessment steps for addressing these points:
- the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
- internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
security controls and processes currently in place; - the impact should information or technology systems become compromised; and
- the effectiveness of the governance structure for the management of cybersecurity risk.
- As mentioned above, the Rule and related guidance does reference the review of policies and procedures in response to significant compliance events. At this point, I believe we can state definitively that IT breach, especially if involving client or other sensitive data, is a significant compliance event which must be mapped to the Annual Review. Importantly, the SEC has already tilled this ground in a past enforcement, but going forward, we expect examiners to regularly incorporate questions regarding the occurrence and management of breach, including documentation, which will mean how such events are showing up in the Annual Review.
Conclusion
Many advisers are taking a slightly more mechanistic approach to the Annual Review in light of the SEC’s well-understood expectations regarding Risk Management. Your policies and procedures, as defined in the Compliance Rule, are determined by specific activities and risks at your firm. The Annual Review involves the testing for adequacy and effectiveness of these policies. Your firm’s Risk Inventory is designed to identify and address risks within your program. The mapping of policies and procedures to the risk inventory and corresponding review can be translated to the spreadsheet-based Annual Review. While many advisers may prefer to do it in prose, the SEC is, effectively, asking you to conduct ongoing review through the risk management process. There is a way to combine and leverage existing or developing risk management process into the Annual Review.
A basic tenet of healthy cybersecurity practice and a primary component of the NIST Cybersecurity Framework’s “Implementation Tiers” is the incorporation of cybersecurity risk into the overall risk management program. One way to further evidence this process, is by tying in your Annual Review.
References:
DIM Guidance – https://www.sec.gov/investment/im-guidance-2015-02.pdf
[1] See, e.g., Equitas Capital Advisors, LLC et al, Advisers Act Rel. No. 3704 (Oct. 23, 2013) (CCO, among other things, failed to conduct compliance reviews, establish adequate compliance procedures, and failed to correct weaknesses in examination program identified by SEC examiners notwithstanding representations to SEC staff); Buckingham Research Group, Inc., et al, Advisers Act Rel. No 3109 (Nov. 17, 2010) (CCO failed to discharge his responsibilities adequately by failing to establish policies reasonably designed to prevent misuse of material non-public information, implement compliance policies, conduct an annual review, and cure deficiencies in an examination); OMNI Investment Advisers Inc. and Gary R. Beynon, Advisers Act Rel. No. 3323 (Nov. 28, 2011) (CCO was living in Brazil); Ronald S. Rollins, Advisers Act Rel. No. 3635 (July 29, 2013) (CCO, among other things, failed to implement policy against holding custody of client assets).