SEC: Prioritizing Cybersecurity
Cybersecurity is now a priority for many investment advisers to address. On June 14, SEC Chair Mary Jo White echoed that sentiment in her testimony before the U.S. Senate Committee on Banking, Housing, and Urban Affairs.
“Cybersecurity is – as I have said before – one of the greatest risks facing the financial services industry and will be for the foreseeable future,” Chair White said in her remarks. She went on to note that the SEC has taken a “proactive” approach that includes “examining and enforcing the rules we oversee that relate to cybersecurity.”
Reading between the lines, it appears that the SEC does not need a new Cybersecurity Rule to enforce requirements. Rather, the Commission appears willing and able to enforce existing regulations that already address cybersecurity – particularly Rule 30(a) of Regulation S-P, which requires registered investment advisers to adopt written policies and procedures reasonably designed to safeguard customer records and information.
Regulation S-P violations have paved the way for the SEC to bring two cybersecurity enforcement actions against investment advisers within the last nine months – first, against RT Jones in September 2015 and more recently against Morgan Stanley Smith Barney in June 2016.
SEC’s 2016 Efforts on Cybersecurity Exams
Chair White stated that the SEC is focusing on “ensuring that our registered entities have policies and procedures to address the risks posed to their systems and data by cyberattacks,” explaining that the agency has expanded its cybersecurity examinations to include testing of firms’ implementation of procedures and controls.
The SEC is currently examining these issues at firms in 2016, and recently announced the promotion of Christopher Hetner to the role of Senior Advisor to the Chair for Cybersecurity Policy. Mr. Hetner, a former chief information security officer at GE Capital, is the Cybersecurity Lead for the SEC’s Office of Compliance Inspections and Examinations (OCIE) Technology Controls Program.
Chair White’s full testimony is available by clicking here.
GIPS Compliance Form Deadline
If your firm is claiming compliance with the Global Investment Performance Standards (GIPS®), this is a friendly reminder to file your annual 2016 GIPS Compliance Form with the CFA Institute by June 30.
You can do so by logging on to the GIPS website by clicking here.
When you complete and submit your form, remember to print the acknowledgement and maintain it on file as verification that you have submitted it prior to the deadline.
If you have questions about submitting your GIPS Compliance Form, please contact Ascendant at 860-435-2255.
Need Help on Forms & Filings?
Ascendant’s ongoing education series ComplianceCast returns on Thursday, June 16 at 2 pm ET with an episode focused on regulatory forms and filings.
The subject will be presented by Kevin Loria, VP & Compliance Services Consultant, and E.J. Yerzak, Partner and VP of Technology, both of Ascendant.
They will be discussing the following top topics:
- Current Snapshot of Required Filings
- Identifying Difficult Aspects
- Methods for Managing
- Current Regulatory Concerns
- Forms: ADV, 13H, 13F, 13D, 13G, PF, SLT, TIC, SHC, SHL, and more
ComplianceCasts are free to attend and continuing education credits are offered.
To register for any of our upcoming presentations, click here.
To visit our ComplianceCasts archive with presentations on CCO Liability, Cybsersecurity and Creating a Culture of Compliance, click here.
Password Manager vs. Autofill
What is the difference between just having a browser save and autofill passwords, and using a password manager?
You could say the biggest difference between browser stored passwords and password managers is password managers allow you to manage your credentials. If you need to change your password or update your account information, password managers can do this a lot easier than the browser password saver. To name a few other things:
- Password Managers can be used and synced across many devices.
- Some Password Managers have an auto password changer for certain compromised accounts. For example, if LinkedIn gets hacked, compromising millions of accounts, the Password Manager will automatically change your password ensuring your account stays safe.
- Built-in password auditing to make sure passwords are not being shared by accounts and are up to industry standard.
- Autofill features just like in the browser.
- Allows for storage of other sensitive information other than passwords and usernames.
- Provides password generator to ensure passwords are as secure as possible.
Generally, a password manager is a much better way to keep track of your passwords and ensure they are all secure and up to industry standard.
Browser-saved password don’t offer a lot and can sometimes lead people into the pitfalls of poor password management.
Non-Governmental Adviser Exams Coming?
The SEC plans to propose rules authorizing non-governmental exams for advisers, this according to its latest regulatory agenda filed with the Office of Information and Regulatory Affairs.
You can see the brief filing by clicking here.
It plans to propose the rules establishing a program of third-party compliance assessment in April 2017, with a goal of increasing the number of annual adviser exams. The agency recently announced plans to add over 100 new examiners under its proposed 2017 budget.
Why Care About Ethics?
A 2013 speech by Stephen L. Cohen, Associate Director of Enforcement of the SEC, highlighted the importance of corporate compliance and ethics. Importantly, the speech set out to explain how a good, effective compliance program can often help a firm mitigate their risk ranking with the SEC’s National Examination Program. So in other words, being able to evidence the tone at the top and the culture of compliance within your organization can help keep the regulators at bay longer between routine visits.
But don’t take our word for it, listen to what Cohen said:
“First, there is no doubt in my mind that a strong compliance and ethics program not only provides direct economic benefits to your company but will also allow you to reap significant credit should you ever deal with us or our law enforcement colleagues. The alternative may be squaring off against our vigorous enforcement program…. More broadly, in the firms the SEC regulates, our National Examination Program staff meets with senior leaders, boards and compliance personnel, to assess the culture of compliance and ethics in the organization. These assessments can factor into the level of risk the staff ascribes to a firm, which can affect how frequently they are examined. And, they do not hesitate to emphasize the importance of supporting these functions through enforcement if necessary.”
So what are the consequences for not having a robust compliance program? As Associate Director Cohen explains:
“Working closely with our National Exam Program and colleagues in our Investment Management Division, Enforcement’s Asset Management Unit is coordinating efforts to identify and bring cases against registered investment advisers who lack effective compliance programs and procedures. Effective compliance programs and personnel are instrumental to protecting the investing public from investment adviser fraud. To date, the Commission has brought six actions arising out of this initiative, which is particularly timely because hundreds of private fund advisers have recently registered with the Commission under Dodd Frank. And there are more in the pipeline.”
No one wants to find themselves in the crosshairs of enforcement so it is important to not just implement a compliance program, but to have it permeate the entire organization.
“A strong ethical culture flows from good governance and requires leaders to promote integrity and ethical values in decision-making across the organization,” Cohen said. “This entails asking not just ‘can we do this,’ but ‘should we do this?’”
A culture of compliance and ethics can and should be measured from interaction with leadership across the organization as well as from front line employees who are often a revealing barometer of what the culture and expectations really are.”
And remember that compliance is not a ‘set-it-and-forget-it’ type function. Rather, it has to be an active, continuous process, constantly striving to be better and more enhanced. As the Associate Director points out:
“…your organization must proactively keep pace with developments and leading practices as part of a commitment to a culture of ongoing improvement. Business models, rules, ethical standards and compliance tools are continually evolving. Yet, recent studies show that compliance officers may not be focusing on emerging risk areas such as social media and privacy issues. Leading organizations ensure that they stay in front of these changes through a process of ongoing improvement that leverages new technology and best practices.”
So, are you on the front lines looking out for the next compliance enemy, or simply getting lost in the trenches?