We continue our discussion of the SEC’s Division of Examinations’ (EXAMS) 2021 Priorities (see here) with an overview of information security and operational resiliency.  The daily drumbeat of cyber-intrusion incidents is certain to keep cybersecurity at the top of EXAMS’ focus.

In light of the pandemic forcing a shift to remote work, EXAMS has announced its focus on information security issues including: endpoint security, data loss, remote access, third-party communication systems, and vendor management.  EXAMS will assess firms’ reasonable efforts to:

(1) prevent account intrusions, focusing on customer identity;

(2) oversee vendors and service providers;

(3) address malicious email activities;

(4) respond to incidents, specifically ransomware attacks; and

(5) manage operational risk created by remote working.

EXAMS expects to focus these reviews on firms’ policies and procedures for platform investor information security and electronic maintenance of books and records, both by firms and their vendors. The pandemic also provides EXAMS an opportunity to review the sufficiency of disaster recovery and business continuity plans. For those who remember post-Hurricane Sandy sweep exams, these will look familiar. Have you improved since then?

EXAMS also encourages market participants to actively and effectively engage regulators and law enforcement in identifying and addressing vulnerabilities and attacks. We recommend soliciting the appropriate advice to assess your preparedness and assist in incident and remediation reporting.

EXAMS signaled its focus on this topic last year in published guidance (see here), which is useful to governance and risk considerations.  The SEC has stated that effective governance of cybersecurity begins with demonstrated commitment from the top.  This includes boards and executives articulating cyber policies and priorities; performing enterprise risk assessments to identify, manage and mitigate risks unique to the enterprise; and developing methodologies for risk assessments that include when employees are away from the office.

Effective governance also includes routine review of access controls and data loss prevention processes including practices such as penetration testing, software testing, patch management and appropriate encryption and access segmentation.  For digital advisors, which exist almost exclusively in this realm, each of these risks are magnified. Demonstrating resiliency in cybersecurity, then, involves developing a plan and identifying personnel to address incidents, a process for measuring the scope of the vulnerability and risk, and a protocol for elevation and reporting.

When regulators come knocking, it is published guidance, like the above, that they look to in answering whether “you knew or should have known” about the risks, and the “reasonableness” of your cybersecurity practices and procedures. In Source Code’s next post, Craig will discuss managing cybersecurity and privacy risks posed by the vendors your firm works with.