At External IT, he works with financial advisors and RIAs to create solutions that are scalable and SEC-compliant. Before that, he was a senior manager at Fairholme Capital Management.

The SEC has issued a new risk alert on cybersecurity that registered broker-dealers and investment advisors need to follow closely. The SEC’s Office of Compliance Inspections and Examinations pointed to six broad categories in the alert, which was released on September 15.

At a high level, the SEC is concerned with how firms handle governance and risk assessment; access rights and controls; data loss prevention; vendor management; training; and incident response. This isn’t just a collection of friendly tips – the alert includes a sample list of information the OCIE may review. The office is conducting a second round of cybersecurity examinations to make sure firms are properly implementing the formalized procedures and controls they should already have in place.

The first round of exams was announced in April 2014 and the OCIE published findings from those exams in February. Technology available to financial firms, and to people capable of compromising financial firms, has evolved since the previous round of exams. So although a new round isn’t itself surprising, firms might be surprised at certain criteria the SEC will focus on as well as the level of detail the SEC will seek.

Let’s take a deeper look into those six categories the OCIE is examining, and why having policies and procedures on them are important for firms:

1. Governance and risk assessment

Protecting client information, including confidential documents, influences all aspects of cybersecurity. Doing this properly calls for periodically evaluating risks and determining if the firm’s controls are tailored to its business. Since governance and risk assessment affect the entire business, senior managers and boards of directors ought to be involved.

Prompt installation of patches, or updates to program codes, is a best practice. So are keeping board minutes about cybersecurity, organizational charts about who in the firm is responsible for cybersecurity, and reports on vulnerabilities the firm discovered as well as steps to fix those gaps.

2. Access rights and controls

Basic controls can minimize the risk of data breaches. These controls include multi-factor authentication of users, stringent credentials and authorization methods, updating access rights as employees change roles and the firm acquires new systems, in addition to how remote access abilities affect how employees and clients can use the firm’s software.

The OCIE alert devotes significant space to this section. Firms should have proof that they have tracked when users have tried and failed to gain access, when users were granted access in ways other than company policy, and when users received system notifications of their access obligations. Firms also should be able to prove they have encrypted, tracked and deactivated users’ remote devices when necessary.

3. Data loss prevention

Data flows constantly. The more employees, clients and vendors a firm works with, the more data is on the move. Firms should monitor the volume of this movement, and check for unauthorized data transfers – for example through email attachments or uploads. Some client requests may not be genuine, so firms also ought to verify which are real and which are false.

Examiners may look for evidence the firm tracks personally identifiable information, classifies data into distinct types and assigns them risk levels. Expect close scrutiny of whether and how firms prevent theft of the riskiest data.

4. Vendor management

The bigger the third-party partnership, the bigger the potential data breach. Firms owe it to clients, and themselves, to choose vendors carefully after intensive due diligence. Examiners may study the firm’s relationship with vendors when assessing the appropriateness of contract terms and how much oversight the firm applies to vendors.

Firms ought to keep records of what software and data vendors can access. This even applies to vendors hired to mitigate cybersecurity risks. Conflicts of interest, bankruptcy and other issues that could cause the vendor to cease operating call for contingency plans. Otherwise, data could immediately become jeopardized.

5. Training

An airtight policy document and a vigilant management team can do only so much to maintain cybersecurity. Employees and vendors need training, since they are the first line of defense. One size doesn’t always fit all, so training should be relevant to each person’s role. Cybersecurity training also tends to be most effective when it’s part of someone’s regular training, as opposed to being isolated or one-off.

Examiners may look at how training is conducted. Verbal instruction isn’t always best, nor is one-on-one instruction. Group participation has its merits, as does computer-based learning.

6. Incident response

Any protocol a firm institutes regarding cybersecurity leads to how the firm responds to actual incidents. This requires deciding which assets, services and data merit the most attention. This is where business continuity plans come into play. How a firm recovers from an incident may be as crucial as how it plans to prevent similar incidents in the future.

Having documentation of what data was compromised is also essential. Cybersecurity insurance is growing in popularity. Firms that suffer breaches and don’t have insurance ought to be able to explain why not. Firms that do have it ought to know how much the insurance covered in the face of losses.

Conclusion

It’s not enough to have a cybersecurity plan documented in writing. Firms should be able to prove they adhere to that plan. It is theoretically possible for broker-dealers and RIAs to meet that hurdle without any outside assistance. In reality, it’s extremely challenging for a financial firm to build and maintain that type of infrastructure without incurring huge costs and shifting attention away from its core business.

Some firms hope to comply with regulators by using outdated technology from bargain-basement vendors. Even if such firms skate by the SEC without penalties, they still risk suffering real cyber breaches. Only financial firms that use top-tier services with cutting-edge technology can feel truly safe.