Electronic Messaging Exams: Looking Beyond Emails
The SEC is conducting “electronic messaging” examinations, which include all forms of written communications related to an Adviser’s business which are conveyed electronically by methods other than email messages sent or received using the Adviser’s email system.
The types of electronic messaging in the examination include those of the Adviser and the Adviser’s personnel (including independent contractors) used for the Adviser’s business and subject to the Books and Records rule (Rule 204-2(a)(7) or (11)).
The types of electronic messaging include:
- Instant messaging
- Text/SMS messaging
- Email and personal or private messaging, whether on the Adviser’s systems or third party apps or platforms
- The Adviser’s mobile devices
- Personally owned computers or mobile devices used by Adviser personnel, including independent contractors
The exam document request asks the Adviser to provide copies of written policies and procedures relating to electronic messaging, including informal or unwritten policies or procedures, and those addressing transmittal of sensitive information and related security and privacy concerns. The exam requests identification of all persons overseeing the policies and procedures and their roles and responsibilities, monitoring and review processes, exception reports, whether any violations have been detected, a summary of any internal audits or compliance reviews associated with electronic messaging, and copies of any risk assessments or risks, and how the Adviser mitigates or addresses these risks. Information regarding recordkeeping is requested, including if maintained by a third party vendor.
Takeaways:
- Review your policies and procedures related to electronic messaging. Ascendant’s Cybersecurity Practice can partner with you to craft more robust policies related to Electronic Communications, Acceptable Use and Information Security that are tailored to your business and cover policies and controls for email, text messaging, apps and cloud-based services. You can also use our proprietary technology tool, Ascendant Compliance Manager, to manage and distribute those policies, capture employee attestations, document your control activities and log any material findings. Contact us to learn more.
- We’ve also previously weighed in on some of your options relating to policies regarding personal e-mails at work in a previous blog we did on cybersecurity, linked here.
- We believe this is a sweep exam in the NY region, which may be designed for information gathering and result in a soon-to-be SEC Guidance Alert. We will continue to keep you posted if/when we learn anything new.