Post Top Ad

Your Ad Spot

Blog Archive

Wednesday, February 5, 2020

SEC Cybersecurity Exam Observations/Recommendations in 2020

Cory Roberson, Principal FIN Compliance/Lancer
David McNeal, Systems Developer/Contributor, My Compliance Blog

February 5, 2020.  As a supplement to its recent SEC Examinations report, the Office of Compliance Inspections and Examinations (“OCIE”) staff released a summary of cybersecurity observations during its examinations of investment advisors over the past year.

Among registrants in our network, we’ve also seen an increase in cybersecurity inquiries from the OCIE due to an uptick in limited scope examinations of newly registered SEC firms. 

OCIE Core Areas of oversight include:

Training and Awareness

Policies and Procedures as a Training Guide:
Train staff to implement the organization’s cybersecurity policies and procedures and engage the workforce to build a culture of cybersecurity readiness and operational resiliency.

Include Examples and Exercises in Training's:
Provide specific cybersecurity and resiliency training, including phishing exercises to help employees identify phishing emails.

Include preventive measures in training, such as:
Identifying and responding to indicators of breaches;
Obtaining customer confirmation if behavior appears suspicious.

Training Effectiveness:
Monitor to ensure employees attend training and assessing the effectiveness of training.
Continuously re-evaluate and update training programs based on cyber-threat intelligence.

Governance/Risk Management
A key element of effective programs is the incorporation of a governance and risk management program that generally includes, among other things:
A risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization.
Written cybersecurity policies and procedures to address those risks.
The effective implementation and enforcement of those policies and procedures.

Senior Level Engagement:
Devote appropriate board and senior leadership attention to developing the policy and coordinating cybersecurity and recovery projects of the company.
Risk Assessment:

Develop and conduct a risk assessment process to identify, manage and mitigate cyber risks relevant to business of the organization including:

Consider the organization’s business model, as part of defining a risk assessment methodology.

Work to identify and prioritize potential vulnerabilities, including:

Remote or traveling employees;
Insider threats;
International operations;
Geopolitical risks;
Any others identified.

Policies and Procedures:
Adopt and enforce detailed written policies and procedures on the areas listed below and known risks.

Testing and Monitoring:
Establish comprehensive testing and monitoring to periodically and consistently check cybersecurity policies and procedures.

Continuously Evaluating and Adapting to Changes:
Respond promptly to testing and monitoring results by updating policies and procedures to fix any deficiencies or shortcomings.


Establish internal and external communication policies and procedures to provide appropriate timely information to:
Others involved in the market;
Access Rights and Controls
Access controls generally include:
Understand the location of data, including client information, throughout an organization;
Restrict access to systems and data to authorized users;
Establishing appropriate controls to prevent and monitor for unauthorized access.

User Access:

Develop a clear understanding of program and data access need, including:

Limiting access to sensitive systems and data, based upon the user’s needs to perform legitimate and authorized activities on the organization’s information systems;
Requiring periodic account reviews.

Access Management:

Manage user access through writing and enforcing policies and procedures.
Limit access as appropriate, including during onboarding, transfers, and terminations.
Implement separation of duties for user access approvals.
Re-certify users’ access rights on a periodic basis.
Require the use of strong, and periodically changed, passwords.
Utilize multi-factor authentication (MFA) leveraging an application or key fob.
Revoke system access immediately for individuals no longer employed by the organization.

Access Monitoring:

Monitor user access and developing procedures.
Monitor for failed login attempts and account lockouts.
Ensure proper handling of customers’ requests for username and password changes.
Procedures for authenticating anomalous or unusual customer requests.
Consistently review for system hardware and software changes, to identify when a change is made.
Ensure that any changes are approved, properly implemented, and that any anomalies are investigated.
Data Loss Prevention
Data loss prevention typically includes a set of tools and processes an organization uses to ensure that sensitive data, including client information, is not lost, misused, or accessed by unauthorized users.
Vulnerability Scanning:

Establish a vulnerability management program that includes:

Routine scans of software code;
Web applications;
Servers and databases;

Within the organization;
Applicable third-party providers.

Perimeter Security

Implement technologies to track, monitor and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic.

These capabilities include:

Intrusion detection systems;
Email security capabilities;
Web proxy systems with content filtering.

Implementing an enterprise data loss prevention solution capable of monitoring and blocking access to:

Personal email;
Cloud-based file sharing services;
Social media sites;
Removable media such as USB and CDs.

Detective Security:
Implement applications that detect endpoint threats.

Consider products that can
Utilize both signature and behavioral based capabilities.
Identify incoming fraudulent communications to prevent unauthorized software or malware from running.

Establishing policies and procedures to capture and retain system logs from systems and applications for aggregation and analysis.

For software that provides automated actions, such as macros and scripts:
Enable optional security features.
Follow the security guidance that may be offered by third party software providers.

Patch Management:
Establish a patch management program covering both software and hardware, including anti-virus and anti-malware deployment.

Inventory Hardware and Software:
Maintain an inventory of hardware and software assets.
Identify critical assets and information (know where they are located, and how they are protected).

Encryption and Network Segmentation

Use tools and processes to secure data and systems.
Encrypt data “in motion” both internally and externally.
Encrypt data “at rest” on all systems including laptops, desktops, mobile phones, tablets, and servers.
Implement network segmentation and access control lists to limit data availability to only authorized systems and networks.

Insider Threat Monitoring

Create an insider threat program to identify suspicious behaviors, including escalating issues to senior leadership as appropriate.
Increase the depth and frequency of testing of business systems and conducting penetration tests.
Create rules to identify and block the transmission of sensitive data from leaving the organization.

Track corrective actions in response to
Findings from testing and monitoring;
Material changes to business operations or technology;
Any other significant events.

Securing Legacy Systems and Equipment:
Verify that the decommissioning and disposal of hardware and software does not create system vulnerabilities.
Remove sensitive information from and prompt disposal of decommissioned hardware and software.
Reassess vulnerability and risk assessments as legacy systems are replaced with more modern systems.
Mobile Security
Mobile devices and applications may create additional and unique vulnerabilities.
Policies and Procedures:
Establish policies and procedures for the use of mobile devices.

Managing the Use of Mobile Devices:

Use a mobile device management (MDM) application or similar technology for an organization’s business including:
Email communication;
Data storage;
Other activities.

If using a “bring your own device” policy, ensure that the MDM solution works with all mobile phone/device operating systems.

Implementing Security Measures:
Require, among other security measures, the use of MFA for all internal and external users.

Take steps to prevent:
Saving information to personally owned computers, smartphones or tablets.

Ensure the ability to remotely clear data and content from a device that belongs to a former employee or from a lost device.

Training Employees

Train employees on mobile device policies and effective practices to protect mobile devices.
Incident Response
Incident response includes:
The timely detection and appropriate disclosure of material information regarding incidents;
Assessing the appropriateness of corrective actions taken in response to incidents.

Development of a Plan:

Developing a risk-assessed incident response plan for various scenarios including:

Denial of service attacks;
Malicious disinformation;
Key employee succession;
Any other extreme but plausible scenarios.

Consider past cybersecurity incidents and current cyber-threat intelligence in developing business continuity plans and policies and procedures.

Establish and maintain procedures that include:
Timely notification and response if an event occurs;
A process to escalate incidents to appropriate levels of management;
Communication with key stakeholders.

Addressing Applicable Reporting Requirements:

Determining and complying with applicable federal and state reporting requirements for cyber incidents or events.
Contact local authorities or the FBI if an attack or compromise is discovered or suspected.
Inform regulators and sharing information,
Notify customers, clients, and employees promptly if their data is compromised.

Assigning Staff to Execute Specific Areas of the Plan:
Designate employees with specific roles and responsibilities in the event of a cyber incident.

Testing and Assessing the Plan:
Test the incident response plan and potential recovery times, using a variety of methods including tabletop exercises.
If an incident does occur, implementing the plan and assessing the response after the incident to determine whether any changes to the procedures are necessary

Develop strategies to address resiliency:

An important component of an incident response plan includes business continuity and resiliency.
Maintain an Inventory of Core Business Operations and Systems.
Identify and prioritize core business services.
Understand the impact on business services of an individual system or process failure.
Map the systems and processes that support business services

Assess Risks and Prioritize Business Operations:

Develop a strategy for operational resiliency with defined risk tolerances tailored to the organization.
Determine which systems and processes are capable of being substituted during disruption.
Ensure geographic separation of back-up data and avoid concentration risk.
Consider the effects of business disruptions on both the institution’s stakeholders and other organizations.

Consider Additional Safeguards:
Maintain back-up data in a different network and offline.
Evaluate whether cybersecurity insurance is appropriate for the organization’s business.
Vendor Management
Vendor Management Program:
Establish a vendor management program to ensure vendors meet security requirements and that appropriate safeguards are implemented.
Leverage questionnaires based on reviews of industry standards (e.g., SOC 2, SSAE 18) as well as independent audits.
Establish procedures for terminating or replacing vendors, including cloud-based service providers.

Understand Vendor Relationships

Understand all contract terms including:

Other specific terms to ensure that all parties have the same understanding of how risk and security is addressed.

Understand and manage the risks related to vendor outsourcing, including vendor use of cloud-based services.

Vendor Monitoring and Testing

Monitor the vendor relationship to ensure that the vendor continues to meet security requirements and to be aware of changes to the vendor’s services or personnel.

FIN Compliance Products and Services 

RIA Registration Services:  New/existing firms.
RIA Compliance Consulting:  Ongoing/annual services.
Compliance Management System: Online portal.
Business Management System: Online portal. 
Advisor Transition Support:  RIA Matchmaking/continuity services.

Business/Referral Network: Inquire about advertising/consulting projects. 

Our Approach

Compliance Management - We work with companies who are seeking to manage their compliance obligations - serving more than 175+ firms with compliance services and a system of SEC and state regulatory resources located on one site.

Business Management - We provide firms with task-management processes and a business directory to connect with other firms for continuity, succession planning, partnerships, and deal flow.  Also, we have a small network of referral partners for practice management, operations workflows, accounting, and website design.

Needs Analysis Workflow - We work with firms in determining their compliance management priorities.  During/after a need’s analysis, we provide firms with compliance/business service options to address those needs and will provide firms with sample workflows for task delegation purposes.

Audit Preparation - We help firms in addressing compliance deficiencies while acting as an intermediary for resolving issues between (you) the advisor and regulators/examiners. We can also assist firms in audit prep measures.

Regulatory Changes - We research regulatory updates from state, SEC, and/or FINRA jurisdictions. We’re here to help as some rules/regulations may be amended over time.

About FIN Compliance 

FIN Compliance  (FinCompliance.iois a consortium of compliance, consulting, and business management solutions designed to help boutique investment firms to structure, maintain, and develop their internal regulatory review programs.  

Our product line consists of:  RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management system, B-D Review, a Hybrid-management system (est. in 2020)*, and FIN Lancer, a Business/Task Management system. 


FIN Ventures focuses on business strategy consulting for impact-based projects (  

FIN Missions ( provides business/vision support group sessions for other entrepreneurs and youth mentoring.  In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.

Contact:  Cory Roberson - 

No comments:

Post a Comment

Post Top Ad

Your Ad Spot