Shortly after the Target breach in late 2013, the SEC began a cybersecurity "sweep" across a selection of 50 registered investment advisors (RIAs). The intent being to obtain some perspective regarding their information security rigor. In mid-April 2014, they released the "28 Questions" document, publicly showing the audit questions that were asked during the document request process, which quickly became a quasi-standard used by buy-side firms to gauge their preparedness. As well, due diligence teams of institutional investors began to incorporate these questions into their annual reviews.
The OCIE-SEC did not rest on their laurels. Over the next three years, they released additional risk alerts focused on cybersecurity issues and concerns. In late 2015, they released a particularly important risk alert emphasizing the following areas of focus:
- Governance and Risk Assessment
- Access Rights and Controls
- Data Loss Prevention
- Vendor Management
- Incident Response
These are essential pillars of cybersecurity, but instead of listing the questions themselves, they buried the key information in the appendix, where they were more likely to be ignored. It is my belief that if the actual audit questions were made public (as they were in 2014) we would have seen better adoption.
A risk alert in late 2017 provided observations from a sweep of 75 companies, noting improvements from their first sweep in 2014, but highlighting what gaps they discovered.
As well, they announced that a separate cybersecurity unit was created within the SEC. Previously, auditors received some training and checklists of questions to ask, but this wasn't quite the same as having cybersecurity experts charged with performing deeper investigations and challenging firms' responses to audit questions.
A recent survey from TD Ameritrade suggests that only 27% of RIAs surveyed feel that cybersecurity issues (even when broadly defined) are concerning. As such, it’s not surprising that when the SEC made public its examination priorities for 2018, they explicitly stated that cybersecurity remains a priority, re-emphasizing the six pillars listed above.
I believe that since this spotlight focus was originally detailed two years ago, the SEC is subtly underlining that there is no good excuse that firms should not be prepared for a vigorous questioning if an audit is initiated.
To help firms prepare for said audit, eSentire has reviewed the appendix documentation and created a Regulatory Security Preparatory Checklist with questions to which firms can generate responses in the order and format expected. I strongly recommend that all RIAs download and prepare their responses in advance, as part of an audit preparedness review.
Eldon Sprickerhoff is founder and chief security strategist at cyber security company eSentire (www.eSentire.com). In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.