SEC Expects Updated Cybersecurity / BCP Policies: Takeaways from the SEC’s 2021 Exam Priorities
The Securities and Exchange Commission has released its 2021 Examination Priorities a little later this year than in years past, but investment advisers shouldn’t waste any time in tackling the hot button issues that will inform the agency’s exams this year for cybersecurity. After a year that saw many firms switch to remote work environments and upend their communications systems and ways of doing business, the regulator made it clear that it expects registrants to have documented the changes they made and adjusted their risk management practices accordingly.
Highlights of the 2021 Exam Priorities in the areas of cybersecurity include:
- A continued focus on the compliance and operational challenges around supervision of remote staff
- Information security and operational resiliency remain a priority. The SEC states that the pandemic has exacerbated the risks of endpoint security, data loss, remote access, communications systems, and vendor oversight. The exam staff plans to assess whether firms have implemented reasonable controls around intrusion detection, vendor due diligence and oversight, (3) phishing, (4) incident response, and (5) risks associated with remote workforces using cloud-based and mobile applications to store client data.
- Anti-money laundering
- ESG themes, which permeate the priorities list throughout. In terms of cyber and IT risk, the regulator plans to examine whether firms’ business continuity plans are updated to reflect reasonably foreseeable risks due to climate change
- A focus on material impacts to portfolio companies owned by private funds
While some firms have thoughtfully documented changes in their programs over the past year, CSS recommends that every advisory firm take a close look at whether they have incorporated the following specific recommendations into their compliance and cybersecurity programs:
- Update the Compliance Manual, Information Security Policy, and/or Business Continuity Plan to note any new communications tools used by the firm. This may include new videoconferencing and collaboration tools such as Zoom or Microsoft Teams. If you are using these systems now and didn’t use them previously, then your policies and procedures might be out of date.
- Confirm that you conducted due diligence on any new vendors used during the prior year, and refresh your due diligence on all vendors in light of increased cyber incidents. For example, the Solarwinds Orion hack may have impacts to some of the third parties your firm uses. It is a good opportunity to add a few questions to this year’s due diligence to ask your vendors about any exposure to the Solarwinds incident.
- If any exceptions to existing Information Security Policies were made during the past year as an accommodation to staff working remotely, make sure that those exceptions have been adequately documented. (For example, if your firm was unable to keep laptops patched because staff were working from home, then you may have allowed an exception to your firm’s patching policy.) It is a best practice in information security that a formal Exceptions Policy govern the approval of any exceptions. Approvals, such as to allow staff to use personally owned computers for business purposes or to lengthen the time between password changes, should be specifically documented with an approval date and an expiration date for the exception. After all, exceptions are meant to be temporary. If a need for an exception continues to exist, the firm should re-confirm and extend the date for the exception. Exceptions lasting longer than one year may be indicative that the policy itself needs to be revised, rather than having the exception persist.
- Storage of confidential information in hard copy at personal residences can pose a privacy issue. Periodically assess whether staff are securely handling confidential information and remind them of the importance of safeguarding information through compliance attestations and/or security awareness training.
- Cyber professionals have warned that phishing attacks have increased considerably over the past year and that ransomware continues to evolve (see the SEC’s Cybersecurity Ransomware Alert and Credential Compromise Risk Alert) Consider retaining a vendor to manage phishing testing and to conduct ongoing monitoring of compromised passwords on the dark web for your staff.
- ESG informs a big part of SEC’s efforts this year and that extends to BCP. While many BCP’s likely already mention that they are designed to cover risks of business disruption due to significant weather events, the SEC’s focus on ESG presents an opportunity to revisit your BCP and confirm what risks it is designed to address. CSS recommends adding a very specific mention of the risk of significant weather events caused by climate change and environmental factors. In addition, if you have not done so already, add pandemics and other significant health events as reasonably foreseeable risks to the BCP. Take the opportunity to review your Form ADV disclosure as well, particular Part 2A Item 8, and whether it makes sense for your firm to discuss ESG and pandemics as material risks.
- For private fund advisers, impacts to portfolio companies are a focus of the SEC. This means that private fund advisers should be conducting assessments of their portfolio companies’ risks. In addition to operational risks stemming from COVID-related economic issues such as office and factory closures, cybersecurity risks can have a significant impact on a portfolio company’s valuation and in turn impact fund valuation. CSS can assist private fund advisers in conducting cybersecurity assessments of portfolio companies.
For more information on CSS’s Cybersecurity Services or to speak with a cybersecurity expert, please email: firstname.lastname@example.org