What Investment Advisers Need to Know about Regulatory Cybersecurity
I recently joined ACA as Managing Director and Head of ACA Aponix’s Global Regulatory Cybersecurity Practice. Before joining ACA, I served as Associate Director and Head of the National Technology Controls Examination Program with the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”). I would like to take this opportunity to introduce myself and share with you my perspective on regulatory cybersecurity preparedness.
Cybersecurity has become an increasing regulatory focus and will continue to be a top regulatory priority for the SEC. OCIE has issued multiple cybersecurity risk alerts and the Division of Investment Management has issued a cybersecurity guidance update that provides baseline cybersecurity preparedness measures for investment management firms. The SEC’s Division of Enforcement also launched a Cyber Unit that will be fully engaged on cyber-related matters. Firms should be prepared in the event they are selected for an SEC examination that includes cybersecurity as a focus area.
Cybersecurity is not only an information technology issue, but a critical business issue; it has become a top priority for firms’ boards, senior management, investors, and clients due to the reputational, operational, financial, and regulatory risks associated with a cyber threat or incident.
To address this priority, firms should be proactive and act now. CCOs, CIOs, CTOs, CISOs, and other C-suite stakeholders should be strategic partners in assisting with the development of their firm’s cybersecurity program.
To develop a sound cybersecurity program that effectively and holistically addresses cybersecurity risks, firms should:
- Create a cybersecurity governance structure;
- Adopt a cybersecurity strategy; and
- Conduct a cybersecurity risk assessment.
In addition, firms should consider performing a mock SEC cybersecurity examination to assess their preparedness for an actual SEC cybersecurity examination as well as to stay ahead of regulators.
How ACA Aponix Can Help
ACA understands the pressures firms face to meet their regulatory cybersecurity obligations while keeping up with rapid technological advancements and evolving cyber threats. We partner with firms to help enhance their cybersecurity preparedness, develop sound cybersecurity and compliance programs, and optimize resources associated with meeting regulatory cybersecurity obligations.
Our regulatory cybersecurity services include:
- Cybersecurity and Technology Risk Assessments – We can help determine if your firm’s business processes and system or network configurations could expose your business to cyber threats.
- Mock Regulatory Cybersecurity Exams – We can help your firm address current and emerging cybersecurity risks and prepare for an actual cybersecurity examination by reviewing your firm’s cybersecurity program from a regulator’s perspective
About the Author
Askari Foy is a Managing Director overseeing ACA Aponix's Global Regulatory Cybersecurity Practice. He recently joined ACA after serving for over 13 years with the U.S. Securities and Exchange Commission (“SEC”), where he was most recently Associate Director and Head of the National Technology Controls Program (“TCP”) with the SEC’s Office of Compliance Inspections and Examinations (“OCIE”). TCP conducts cybersecurity examinations of registered investment advisers, broker-dealers, national securities exchanges, clearing agencies, automated trading systems, and self-regulatory organizations to ensure compliance with federal securities laws. As head of the TCP, Askari developed and implemented cybersecurity risk-based examination and surveillance strategies that promoted the importance of cybersecurity and IT Governance structure among SEC registrants. Askari was also a contributor to the implementation of Regulation SCI, which focuses on critical market infrastructure and is used as a guideline for investment adviser and broker-dealer examinations.