SEC Hot Button Issues

Cybersecurity in Compliance

Our presenters, Charles and John will discuss today's SEC Hot button issues and share practical steps to prepare your firm's policies and procedures.

Hot Button Issues included in this series include:

  • Cybersecurity
  • Conflicts of interest
  • Expense allocation
  • Regulation D.


charles-lerner-photo.jpg Charles Lerner, J.D. is a principal of Fiduciary Compliance Associates LLC, which provides full-service compliance support to investment advisers. Prior to serving as a managing director and CCO at several major institutions, Charles was an attorney in the SEC Division of Enforcement and the director of ERISA enforcement at the U.S. Department of Labor. He has edited four compliance guides for advisers published by PEI Media International.
john-roth.jpg John H. Roth, J.D., LL.M. is the General Counsel and Chief Compliance Officer of Venor Capital Management LP, a private fund manager located in New York, New York.


 You can download a full copy of the slides from this webinar.



Transcript available below:

I'm going to move on to the first topic which is really cyber security where the SEC has had a big focus on this issue since it first announced in April of 2014. One of the things I suggest to my clients, and my clients are hedge funds and private equity of various sizes, is to go back to the April 2014 document which lists some 28 items, the last one's a catchall but lists items that the SEC is interested the firm having. What I suggest to my clients is that they take that list, put it in an Excel spreadsheet, and then have a column that marks what the policy and the process they had or they're not doing something and what the reason is. That'll be important when the SEC comes that you can demonstrate that you've given it good consideration and you've determined, your firm, what your needs are what's your risore.

The commission had done a sweep exam and came up with some results - next slide please - which they reported. I put some here that kind were kind of negative-ish, but many of the firms, something like 80%, had written policies and procedures. 80% of them did risk assessments, so people already were taking the 2014 guidance to heart and following it. Recently, I had a client who got a - for an existing investor - a questionnaire, a DDQ from them. There are 13 questions. 3 of them dealt with this kind of issue. One of them said, "Does your firm maintain a formal information security policy?" Then said, "If so, please provide a copy and detail any material] changes." Now that's something you'd have to think about, whether you actually want to turn over your written information security plan. I would suggest not much like, in most cases, we don't provide a compliance manual. We offer an investor come in our offices and read it. Likewise, for this, I wouldn't provide it.

The other question is, "When was the last time you conducted any vulnerability assessment for penetration tests?" I think it's not only an issue for us and the SEC, investors are paying attention to it as well. The other thing that happened at the outreach is they did have a section on cyber security which I thought laid out all the issues, all the areas, but in the New York office's outreach and marks, they sort of honed in on what are the important issues. One, you should have governance policies and procedures. You should have some sort of assessment of cyber security risks. You should do something to understand from your vendors and third parties, third parties who have access to your systems and vendors who have access to your information, what they're doing on cyber security. Do you have a way to detect cyber security risks, and how have you handled those risks. One of the things, too, in the SEC, a large percentage of the people they examined in the sweep, had had some sort of cyber security attempt.

Likewise, at another program that I was at with a assistant director from the SEC's - one of their offices - covered some of these same issues, but some of them are a little different. They want to look at policy procedures, periodic testing, who has access and controls, password protection, data loss prevention, incident response, and a very important one that we all should make sure we're doing, is that we have provided training for our staff.

There's a other couple things that you ought to think about. One is whether you do some sort of penetration testing which is a way for an IT or internal, external to determine whether somebody could come through some back door way into your systems, they shut those. The other one that I recommend, that I think is worthwhile is phishing testing. Verizon did a study some time ago and found that when people got emails with a link, about a third of the time, people clicked on the link, and that's one of the ways that your system can get compromised.

A couple other things you might want to think about is whether you want to allow your employees to have access through your systems to their own external email accounts because of they get an external email, click on a link, it could harm your system. Particularly these days I know that a number of people, a lot of senior people, wanted to be able to have access to their external emails which may be less of an issue to these days with people having their own personal iPhones and iPads and the like because you don't want to get your system compromised.

One other thing that I want to mention is having process in place for investors or customers contacting you and giving you direction. You should have a protocol for that which if somebody calls you and gives you direction, you communicate back to them and confirm it by a written means of email. You have to be very cautious of that. I had an interesting situation with one of my clients. Name of the firm was something something LLC. The controller got an email that said, "Dick" - it was from the head of the firm - "Dick, will you transfer $5,000,000 to this account at HSBC." The thoughts went up. His name is Dick, Richard, but he was always called Richard, and it clearly didn't come. As it turned out, somebody had actually created an email address for the same firm, instead of the LLC part, it had number 1 LC, so I looked like it had come from somebody at the firm, and it hadn't.

Cyber security, one other thing I want to mention, is that field offices have been doing examinations. Each one was assigned to do five or six firms in the first part of this year, to have them completed in June, with the expectation that they'll come out with the results to see whether advisors and broker dealers had taken to heart the guidance they've had.

John, anything else that you want to add on this?

Right, I'd like to make three really quick points.

As Charles alluded to, what I've found in working through our written information security plan and thinking about cyber security in general is that I think one of the biggest risks that we've identified, and I think one of the biggest risks that the SEC mentioned recently, is the human factor. People can make mistakes. You can have really great systems set up. You can have really great protection set up in your systems, but humans can make mistakes, so the training employees, training on the systems that you have, training employees on the things that they need to be aware of, is extremely important.

Number two, when you're developing your risks, some people get confused between your risk and a business continuity plan. I think they can be considered close cousins, and there are things that, when you developed your business continuity plan, that you can borrow from that because, for example, when you did your BCP, you probably created an inventory of your systems where information resides, who has access to it, what happens if it's down. You can borrow that information, so when you create you risks, you probably are not starting from scratch. Be that as it may, they are two different types of policies because they aim to address two different situations.

I absolutely agree.

The third thing that I would recommend people do is to tap into various resources to keep aware of new types of attacks that are out there. One of the things that's really important to note about cyber security is that in way, on the defensive side, we are playing catch up constantly because people out there, the bad actors in the world, get a sense for what defenses are there, and they try to find ways around them. You need to have a pretty good working knowledge of new threats that are out there so, for example, you can train employees. There are a lot of different resources. We tie into a couple of them. There's a website or an email service that you can get alerts from the FBI. For example, around tax season, they sent alerts about fraudulent tax returns and things like that.

Finally, on that note, a lot of times when I send out alerts, I remind people this is not just a problem with respect to the firm's systems. It can be a problem with respect to your personal systems, so people need to be aware of that as well just because there's spoofing on firm email, there can be spoofing on personal emails, so I try to put that a little bit into perspective, and I think that helps employees really pay attention as well.

 We have a polling question we're going to go to which is on slide 10. Do you conduct due diligence on third parties who maintain former client confidential information and/or have access to it? Up will pop - for you to check one of the boxes. Ding ding ding ding ding and then we'll see what it comes up with. While you're doing that, it is one of the things that I thought about, there was an article in the New York Times a couple months ago about two major law firms in New York who were hacked. They don't know whether they got any information or not, but they were, and then one of the SEC cases, the Jones' case, was based upon that, too, that nobody was harmed but, in fact, the SEC took action.

One thing to mention in terms of this question -

65% do. We can't see the 24% are not sure. It ought to be part of asking your administrator, your law firm, your accounting firm, and all those. Any that have access to your systems for sure but also the others have confidential information. One thing you may want to think about as well is whether you add something to your contract with them in order to ensure that they do have some cyber security protection and do they do ... which they won't give you what it is - and do they do any assessment testing which they won't tell you the result, but at least you'll know their doing something.

This is particularly important concept in the world in which we live where a lot of systems require this. Whether your servers are cloud based with an external service provider or even one of your service providers works off of a cloud based system, these are important things to know, and as you do your inventory of where information is, who has access to it, that will help give rise to the right people to due diligence on and actually help them do that diligence.


Find out how MCO can help

Request a demo today to learn how MyComplianceOffice puts you in command of your compliance program, synchronizing your business needs with regulation. 

Request a Demo



Download our four page Portfolio of Solutions to learn about;

  • Personal Trade Monitoring
  • Gifts & Entertainment
  • Political Contributions
  • Third Party vendor risk management
  • Trade surveillance
  • And more

Brochure Download