What You Need to Know from OCIE’s 2020 Cybersecurity Observations

What You Need to Know from OCIE’s 2020 Cybersecurity Observations

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on print

On January 27, 2020, the Securities and Exchange Commission’s (SEC) Office of Inspections and Examination (OCIE) released its Cybersecurity and Resiliency Observations for 2020 (the Release). The observations are designed to assist market participants in managing and combatting cybersecurity risk and the maintenance and enhancement of operational resiliency.

  • Governance and Risk Management: As with the exam program generally, OCIE looks for a “tone at the top” when it comes to executing a firm’s compliance program. In particular, senior leaders should clearly communicate the organization’s commitment to a tailored policies and procedures, a robust assessment of the firm’s cybersecurity risks, and continual monitoring of the program so that it quickly adapts to changes in risk.
  • Access Rights and Controls: From the beginning of its cybersecurity sweeps, OCIE has focused on access restrictions (i.e., limiting certain data to authorized users and better protecting against the improper use of client information). The Release emphasized that firms should be intentional when organizing and chronicling system data so that the system has fewer vulnerabilities. OCIE noted that effective programs include procedures to: manage user access through systems and procedures, enable multi-factor authentication and address access rights of individuals who leave the firm.
  • Data Loss Prevention: Procedures should be sufficient to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. Firms that effectively prevented data loss routinely scanned for vulnerabilities in their software, hardware and web-based applications, including those of their third-party providers. These organizations also employed perimeter security measures capable of inspecting and preventing harmful traffic and detecting threats on system end points. Finally, firms should inventory their hardware and software assets, routinely patch and update software and oversee the proper disposal of legacy systems and equipment.
  • Mobile Security: Mobile devices and applications present unique vulnerabilities due to because they are in transit. OCIE observed that firms can install applications on these devices that will automate the routine monitoring of email communication, calendars, data storage and other activities. A key component in implementing effective security protocols includes training employees on prudent usage of mobile devices.
  • Incident Response and Resiliency: Firms should develop an incident response plan that enables swift detection and handling of a wide range of cyber threats. Once an incident occurs, the plan should outline the steps for a quick recovery so that the firm can continue safely serving its clients. OCIE highlighted the fact that other state and federal laws may apply to cybersecurity incidents. Accordingly, firms should consider the circumstances in which an incident warrants contacting employees, clients and/or third parties, such as criminal authorities and regulators.
  • Vendor Management: Third-party vendors may pose risks with respect to client data. OCIE noted that effective vendor management includes implementing initial screenings and safeguards, establishing vendor termination procedures, understanding and avoiding the risk posed by a vendor’s contract terms, and continuous monitoring of all third-party vendors.
  • Training and Awareness: Further to a “tone at the top,” firms should to embed cybersecurity as a cultural norm that guides firm behavior. In addition, regular, formal training informs employees about the risks and responsibilities associated with cyber threats. OCIE observed that effective training programs include the use of examples and exercises that mimic the threats that the firm needs to prevent.

It is important to remember that these are general observations for the SEC as an agency. As you review the observations, compare them to your firm’s own policies and procedures and consider whether you may need to reassess certain policies and procedures moving forward. As always, the Greyline team is happy to assist you with these inquiries.

Please find the full Cybersecurity and Resiliency Observations here.

 

Related Posts

Darren Mooney

Partner and Co-Head of Business Development

Darren Mooney is a Partner and the Co-Head of Business Development at Greyline. Before joining Greyline, Darren served as deputy chief compliance officer of Partner Fund Management where he held primary responsibility for the compliance program of the second-largest hedge fund in the Bay Area. Prior to that, Darren spent five years providing compliance consulting services at Cordium and then ACA Compliance Group, where he led the company’s San Francisco office and west coast operations. In addition to providing ongoing consulting services to a variety of investment managers, including hedge fund, private equity, venture capital, real estate, quantitative and other wealth managers, Darren also regularly guided clients through the SEC registration process, implemented tailored compliance programs, supported clients’ live SEC exams, and served as an SEC-mandated independent compliance consultant following an SEC enforcement action. Darren’s other experience includes serving as deputy chief compliance officer and associate counsel at F-Squared Investments where he directly supported the compliance program during the investigation and subsequent enforcement regarding historical advertising practices. Darren has a B.S. in Economics from the University of Delaware and a J.D. from Suffolk University Law School. He is a member of the Massachusetts bar.

Annie Kong

Partner and Head of Venture Capital
Annie Kong is a Partner and Head of the Venture Capital Division at Greyline. She provides ongoing compliance consulting to investment advisers and manages client relationships. Prior to joining Greyline, Annie was part of compliance and operations at a long-only manager-of-managers that advised pension fund clients. While there, she conducted compliance and operational due diligence on SEC-registered investment advisers on the platform. She also oversaw and counseled on various legal matters across the firm. Annie has a B.A. in Economics from the University of California, San Diego, and a J.D. from the University of San Diego School of Law. She is an active member of the State Bar of California.
Greyline is pleased to announce that we are the recipient of the 2021 HFM U.S. Service Award in the Best Technology Firm – Newcomer category.