Asset Managers Prepare: SEC Cybersecurity Sweep Audits Are a Reality

With the recent announcement by Jane Jarcho, National Associate Director for the Securities and Exchange Commission's Asset Manager exam program, that they “will be looking to see what policies are in place to prevent, detect and respond to cyber attacks,” as well as vendor access and vendor due diligence from asset managers, the SEC has ramped up their Cybersecurity Assessment program out of their Chicago office.

The practice of Asset management, broadly defined, refers to any system that monitors and maintains things of value to an entity or group. The context of Jarcho’s statements was directed towards Investment Managers.

Investment management is the professional asset management of various securities (shares, bonds and other securities) and other assets (e.g., real estate) in order to meet specified investment goals for the benefit of the investors. Investors may be institutions (insurance companies, pension funds, corporations, charities, educational establishments etc.) or private investors (both directly via investment contracts and more commonly via collective investment schemes e.g. mutual funds or exchange-traded funds).

The new focus is to try to "require" asset managers to disclose Cybersecurity breaches. The focus on cyber events (which has traditionally been "guidance" but is now being pressured to become "rule") is being prepared to meet the registration filing process for "material changes" as described in the SEC guidance for Corporate Financial Disclosure, topic 2: Cybersecurity

From the SEC CF Disclosure Guidance Topic Number 2: Cybersecurity 

Disclosure by Public Companies Regarding Cybersecurity Risks and Cyber Incidents

The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. Although no existing disclosure requirement explicitly refers to Cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding Cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. ³ Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to Cybersecurity risks and cyber incidents.

The SEC is ramping up to perform Sweep Assessments. These are very targeted assessments against very succinct criterion. In this case the SEC is looking to see if Asset Managers are “doing the right things”. This comes as no shock or revelation to Cybersecurity professionals but Asset Managers have never really been held “accountable” for Cybersecurity in the past. Many Investment Managers strive to follow standards and industry accepted practices but they find they may not have such tight control over their Broker/Dealer networks. Alliance partner attestations of Cybersecurity control alone will not indemnify the brand and reputation following an incident. Due diligence and focus on standards becomes more and more important as the regulatory scrutiny increases.

Some of the items the SEC will be asking the Investment Managers to provide seems rudimentary to a Cybersecurity professional but may not be as readily accessible to some organizations. Getting an early start on identifying and compiling the pieces of evidence being asked for is key to not only a successful Cybersecurity focused Sweep Assessment but also to double check, validate or shore up a comprehensive Cybersecurity program. Having a third party assist in interpreting this evidence and ensuring the objective for the requests will ease the pain and confusion that may precede a formal assessment.

Some highlights from the SEC’s list of items they will be asking for are:

Relevant Policies and Procedures for:

Physical Device Inventory

Software platform and application inventory

Network Maps

Cataloging of External Connections to the network

Resource Classification based on risk

Logging capabilities

Written Security Policy

Risk Assessment Processes

Cybersecurity threats

Physical security threats

Systemic Cybersecurity roles and responsibility/accountability

Business Continuity Plan

Cybersecurity Ownership/Leadership (CISO or equivalent)

Cybersecurity Insurance maintenance and coverage

Cybersecurity Risk Management (adherence to Standards)

Cybersecurity Network Controls, testing and Staff Training

Engineering

Application Development

Configuration Standards

Distributed Denial Of Service resiliency

Data Retention and Destruction

Incident Response

Encryption

Audits

BCP and DR

Risks associated with Remote Customer Access and Asset Transfer Requests

Online Access

Identification Authentication and Access Management

User Credential protection

E-mail authentication

Risks associated with Vendors and Third Parties

Detection of Unauthorized Activity

Documentation of any incidents since January 1, 2013

There is much more detail they will be requesting to support the topics highlighted above. Bottom line here is that the SEC is looking to see that the organization is following industry accepted practices for Cybersecurity. Identifying supporting evidence will greatly reduce the frustration and churn that may result from being subjected to these sweep assessments. My advice is to get a jump on this expectation by identifying and validating the supporting evidence early.