The Security and Exchange Commission has released its first Investment Management Guidance Update in nearly two years, noting that “because funds are varied in their operations, they should tailor their compliance programs based on the nature and scope of their businesses”.
A key factor in the update is that specified registrants are now required to use independent contractors for certain types of cybersecurity testing, ensuring that the focus is kept on enterprise risk management and governance:
- Assessment, mitigation, and monitoring of security and technology risk
- Capital planning and investment with respect to security and technology
- Board of directors and management oversight of system safeguards
- Information technology audit and controls assessments
- Remediation of deficiencies
These proposed modifications are aimed at enhancing the ability of regulated entities to tailor cybersecurity programs and policies to counter their own particularized risks and threats, focusing on a number of areas including Written Policies, Employee Training, Board Involvement and more.
But, at the end of the day, you just want to know what this most recent update means for your wealth management firm. These are the questions you need to ask yourself:
Written Policies and Implementation
- Written Information Security Policy (WISP)
- Information Governance: Document Retention and Deletion Policies
- Asset Management: Data Mapping, Data Classification, and Data Loss Prevention
- Incident Response Plans (IRP) and escalation procedures
- Vendor and Third-Party Provider Cyber-Security Guidelines or Requirements
Division of responsibilities between IT and Compliance
- Do you have a CISO?
- Who conducts employee cyber-security training?
- Who reports on cybersecurity initiatives to Corporate Management and/or the Board?
- How Do IT and Compliance Work Together on cyber initiatives?
- What types of data are you concerned might be targeted and what
- are you currently doing to protect that data?
Board and C-Level Involvement
- Is cybersecurity being driven from the top down?
- Is it a Board/C-Suite priority?
- Does the CISO or CCO report on cybersecurity to the Board and C-Suite?
- How often do you present and/or involve the Board on cyber programs, training, policies, infrastructure and other initiatives?
- How prioritized are cyber-security initiatives? Where does it fall in the operating budget? What is your scope?
Litigation Exposure
- Target breach – two shareholder derivative suits filed
- Wyndham breach – shareholder derivative suit
- Home Depot breach – shareholder derivative suit
- All of these actions have been dismissed; but what about the future?
Employee Training
- Who at your firm is responsible for training?
- Do you conduct training in-house or use a vendor?
- How frequent is training? Annually, monthly, is there follow-up in between?
- How do you track training and participation?
- How do you test effectiveness of the training?
What topics are you focusing on?
- Passwords
- Phishing
- Spearfishing
- Care with portable devices, such as mobile phones, laptops, USB
- Encryption
Not sure about how to answer these questions? Brainlink will help.
For more information about SEC OCIE Guidance and what the recent updates mean for your firm, reach out to Brainlink right away at {phone} or {email}.