Friday, April 11, 2014
Asset Managers Prepare: SEC Cybersecurity Sweep Audits Are a Reality
With the recent announcement by Jane Jarcho, National Associate Director for the Securities and Exchange Commission's Asset Manager exam program, that they “will be looking to see what policies are in place to prevent, detect and respond to cyber attacks,” as well as vendor access and vendor due diligence from asset managers, the SEC has ramped up their Cybersecurity Assessment program out of their Chicago office.
The practice of Asset management, broadly defined, refers to any system that monitors and maintains things of value to an entity or group. The context of Jarcho’s statements was directed towards Investment Managers.
Investment management is the professional asset management of various securities (shares, bonds and other securities) and other assets (e.g., real estate) in order to meet specified investment goals for the benefit of the investors. Investors may be institutions (insurance companies, pension funds, corporations, charities, educational establishments etc.) or private investors (both directly via investment contracts and more commonly via collective investment schemes e.g. mutual funds or exchange-traded funds).
The new focus is to try to "require" asset managers to disclose Cybersecurity breaches. The focus on cyber events (which has traditionally been "guidance" but is now being pressured to become "rule") is being prepared to meet the registration filing process for "material changes" as described in the SEC guidance for Corporate Financial Disclosure, topic 2: Cybersecurity
From the SEC CF Disclosure Guidance Topic Number 2: Cybersecurity
Disclosure by Public Companies Regarding Cybersecurity Risks and Cyber Incidents
The federal securities laws, in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. Although no existing disclosure requirement explicitly refers to Cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding Cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading. 3 Therefore, as with other operational and financial risks, registrants should review, on an ongoing basis, the adequacy of their disclosure relating to Cybersecurity risks and cyber incidents.
The SEC is ramping up to perform Sweep Assessments. These are very targeted assessments against very succinct criterion. In this case the SEC is looking to see if Asset Managers are “doing the right things”. This comes as no shock or revelation to Cybersecurity professionals but Asset Managers have never really been held “accountable” for Cybersecurity in the past. Many Investment Managers strive to follow standards and industry accepted practices but they find they may not have such tight control over their Broker/Dealer networks. Alliance partner attestations of Cybersecurity control alone will not indemnify the brand and reputation following an incident. Due diligence and focus on standards becomes more and more important as the regulatory scrutiny increases.
Some of the items the SEC will be asking the Investment Managers to provide seems rudimentary to a Cybersecurity professional but may not be as readily accessible to some organizations. Getting an early start on identifying and compiling the pieces of evidence being asked for is key to not only a successful Cybersecurity focused Sweep Assessment but also to double check, validate or shore up a comprehensive Cybersecurity program. Having a third party assist in interpreting this evidence and ensuring the objective for the requests will ease the pain and confusion that may precede a formal assessment.
Some highlights from the SEC’s list of items they will be asking for are:
Relevant Policies and Procedures for:
Physical Device Inventory
Software platform and application inventory
Cataloging of External Connections to the network
Resource Classification based on risk
Written Security Policy
Risk Assessment Processes
Physical security threats
Systemic Cybersecurity roles and responsibility/accountability
Business Continuity Plan
Cybersecurity Ownership/Leadership (CISO or equivalent)
Cybersecurity Insurance maintenance and coverage
Cybersecurity Risk Management (adherence to Standards)
Cybersecurity Network Controls, testing and Staff Training
Distributed Denial Of Service resiliency
Data Retention and Destruction
BCP and DR
Risks associated with Remote Customer Access and Asset Transfer Requests
Identification Authentication and Access Management
User Credential protection
Risks associated with Vendors and Third Parties
Detection of Unauthorized Activity
Documentation of any incidents since January 1, 2013
There is much more detail they will be requesting to support the topics highlighted above. Bottom line here is that the SEC is looking to see that the organization is following industry accepted practices for Cybersecurity. Identifying supporting evidence will greatly reduce the frustration and churn that may result from being subjected to these sweep assessments. My advice is to get a jump on this expectation by identifying and validating the supporting evidence early.