IA Compliance: The Full 360° View East
March 21-23 | Washington, D.C.

IA Compliance: The Full 360° View Midwest
June 25 | Chicago, IL
Conquering Current Compliance Challenges
Mar. 7, 2018 | 2:00 - 2:30 PM EST

FinTech: What It Is and How Its Promise Will Affect You Going Forward
Mar. 27, 2018 | 2:00 - 3:00 PM EST
CLE/CPE Approved 

Conquering Current Compliance Challenges
Recorded: Feb. 7, 2018 
Your Complete Guide to the New Form ADV
Includes: 20 Best Practices, 6 Peer-tested Tools and a 60-minute Webinar 

The SEC Examinations Priorities Handbook
Includes: 28 Best Practices, 20 Document Request Letters and 6 OCIE Risk Alerts

Cybersecurity Strategies to Ensure SEC Compliance, 2nd Edition
Includes: 24 Best Practices, 16 Tools, 4 Risk Alerts and IM Guidance
Cybersecurity currently is a top priority for the SEC’s examination staff.  An initial “Phase 1” cybersecurity sweep of 49 investment advisers and 57 broker-dealers conducted by OCIE in 2014 yielded a Risk Alert offering summary observations of findings.  Fully three-quarters of the IAs subjected to the sweep reported being the target of a cyber-attack. 
The SEC has placed such a high priority on the issue that they are initiating a “Phase 2” sweep.  This time examiners will be on site and digging deeply into key cyber concern areas.  OCIE has stated that the repercussions of not being prepared for a cyber-attack are “quite significant.”

Prep areas

Compliance should be prepared to detail their practices for:
  • Identifying risks related to cybersecurity;
  • Establishing cybersecurity governance, including P&Ps and oversight processes;
  • Protecting firm networks and information;
  • Identifying and addressing risks associated with remote access to client information and funds transfer requests;
  • Identifying and addressing risks associated with vendors and other third parties; and
  • Detecting unauthorized activity.
Compliance could also expect to be asked about the detection and impact of cyber-attacks, their firm’s preparedness for cyber-attacks, training and policies relevant to cybersecurity, and the firm’s protocol for reporting cyber breaches.

P&Ps and risk assessments

While the SEC has not adopted cyber-specific rulemaking for IAs, the vast majority of firms have adopted written information security policies.  The vast majority of the examined firms also conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences.
Reg. S-P (the “safeguards rule”), Reg. I-D (the “red flags rule”) and Business Continuity Plans all touch on the issue of cybersecurity.

Still have questions? Click here to share your questions with our editors.