Regulatory Cyber Alert: SEC Conducting Cyber Compliance Examination Sweep of Registered Investment Advisers (RIAs)

SEC focus areas include cloud risk, cyber/tech controls, among others

The U.S. Securities and Exchange Commission (SEC) has commenced a series of cybersecurity examinations on registered investment advisers (RIAs).

As evidenced by a flurry of information request letters this week, the SEC is targeting Form ADV data related to cloud service providers with 24 requests focused on vendor diligence and oversight. The SEC is focusing on how RIAs are identifying and monitoring risks to ensure systems, data, and non-public client information are secured at third parties and the cloud service providers they use.

It is evident that the SEC is intent on understanding cyber concerns not only at RIAs, but in RIAs’ technology architecture and partners.

The current SEC sweep includes an information request list that differs from previous lists, including the cyber sweep that commenced earlier this year. The SEC is requesting that RIAs provide the following key areas of information, among others:

• Vendor contracting and vendor due diligence reviews
• Policies and procedures as they align to technology standards (e.g., NIST, COBIT)
• Cloud service provider:
  • Business and risk assessments
  • Jurisdictions
  • Classifications
  • Books and records exposure
  • Data loss prevention
  • Data encryption
  • Identity and access management
• Comprehensive egress/ingress inventories (public domain and partners)
• Master Services Agreement (MSA), Operational Level Agreement (OLA), and Service Level Agreement (SLA) documentation for each service provider 

ACA Aponix Guidance

No RIA, big or small, is exempt from the SEC’s focus on cybersecurity. Now is the time for firms to enrich their cyber compliance programs.

While very targeted, the current examination sweep does not exclude previous cyber focus areas. Governance, access controls, data loss prevention, vendor management, cyber training, and incident response are all still in focus; perhaps even more so considering these areas are in scope at an adviser’s connected partners. Private equity (PE) firms remain under additional scrutiny in how they oversee cyber concerns at their portfolio companies.

It is plausible that the SEC is using advanced analytics to determine vendor concentration risk across the RIA community and to understand how that is being addressed by individual RIAs. Not all Schedule D vendors were included in the request for diligence documentation: it was focused on providers that are likely servicing a significant number of RIAs.

Firms should ensure that they have documented initial and ongoing diligence on cloud providers in Section 1.L of Schedule D on Form ADV Part 1A.

ACA clients who have received this request should reach out to their ACA contact for guidance in responding to the SEC.

How ACA Aponix Can Help

ACA Aponix provides guidance to RIAs on their cyber compliance programs in order to help them comply with SEC requirements and protect their assets and investors. With former SEC regulators, CISOs, CIOs, CTOs, and other executive-level consultants on our team, we are well positioned to provide the following cyber solutions to RIAs:

• Risk assessments and testing services, including penetration testing and vulnerability assessments
• Mock regulatory cyber exams
• Governance, policies, and procedures development, including cyber incident response planning, WISP development assistance, and business continuity and disaster recovery planning
• Microsoft^® Office 365^® security assessments
• Vendor diligence and management
• M&A due diligence (pre- and post-deal)
• Privacy gap analysis (CCPA, GDPR, and others)
• Cyber education and awareness
• Threat intelligence
• Gap analysis against PCI, HITRUST, and other standards

Given the SEC's focus on vendor oversight, ACA’s vendor management services and Office 365 security assessments are particularly appropriate means of helping address how your firm would respond to a request similar to the ones just issued.

ACA Aponix Regulatory Cyber Resources

The following ACA resources are available to help your firm prepare for an SEC examination:

• Alert: SEC Updates Document Request List for Cybersecurity Examinations
• Blog: Preparing for SEC Cyber Compliance – What You Need to Know
• Webcast: SEC Examination Priorities and Focus Areas for 2019
• Alert: SEC Announces 2019 Examination Priorities

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.