SEC Cybersecurity Guidance for Registered Investment Advisors
What is the cybersecurity guidance?
The main document that outlines the SEC cybersecurity guidance (and the expectations from the OCIE) is the “OCIE’s 2015 Cybersecurity Examination Initiative.”
This five-page document spells out 34 specific cybersecurity measures that each firm needs to address.
Additionally, the SEC has published a number of other pieces of cybersecurity-related guidance that you should consider, including:
- The SEC OCIE has clearly stated that cybersecurity is a priority in 2019 (see the SEC OCIE 2019 Examination Priorities).
- In 2017, the OCIE published their observations after reviewing 75 firms’ cybersecurity practices (“Observations from Cybersecurity Examinations“).
- Also in 2017, they also published a risk alert focused specifically on ransomware (“Cybersecurity: Ransomware Alert“)
- In 2019, a new risk alert provided even more guidance about cybersecurity measures (see “Investment Adviser and Broker-Dealer Compliance Issues
Related to Regulation S-P – Privacy Notices and Safeguard Policies”).
Finally, there are also published guidelines around topics very closely related to cybersecurity, such as:
- Emails and texting: “Observations from Investment Adviser Examinations Relating to Electronic Messaging“
- Social media: “Investment Adviser Use of Social Media“
As with all regulatory matters, if you’re not sure which cybersecurity regulations apply to your RIA firm, consult with a qualified compliance attorney or compliance consultant.
Staying up to date on the latest SEC Cybersecurity Guidance
The best resources we’ve found to stay up to date on the latest cybersecurity guidance are:
1) Subscribe to the OCIE Announcements.
Head over to the Announcements page and enter your email address to get email notifications when a new piece of guidance is published.
2) Subscribe to updates from Lexology.
The Lexology website hosts fantastic articles written by attorneys on a wide variety of topics. Register for a free account, and they can send you daily or weekly email alerts.
We’ve found it’s best to sign up to get updates for the “IT & Data Protection” work area.
You’ll find the articles are helpful not only to read interpretation of the SEC’s guidance, but also to keep updated about other cybersecurity and privacy-related regulations that might impact your business.
Making sense of the Cybersecurity Guidance
Much of the decision-making process is left up to each individual registered investment advisor to decide what and how to address the guidance in their firm.
The devil is truly in the details — the guidance tells you WHAT to address, but not HOW to address it.
As part of our cybersecurity service for registered investment advisors, we’ve had an opportunity to see first-hand the areas where RIA’s tend to struggle.
As a result, we’ve published a number of topical guides that dive into the guidance and explore your options and make recommendations.
You can read these detailed guides here: