SEC Warns Firm Leaders on Cybersecurity Policies

Effective security against cyberattacks requires a strong governance approach firm-wide, SEC official says. 

This Practice Management article is intended for financial advisors only (registered representatives of broker/dealers or associated persons of Registered Investment Advisors).
 

As advisors continue to develop policies and procedures for protecting their systems and data from cyberattacks, they need to establish security as a firm-wide priority, a top Securities and Exchange Commission (SEC) official warns.

That demands "an approach to security that is meaningful and that is more than just a check-the-box approach, which really requires a strong governance component," said David Glockner, director of the SEC's Chicago regional office.

Glockner, who addressed an audience at the Investment Adviser Association's annual compliance conference in March, touted the importance of senior management at firms establishing cybersecurity as a priority for all units of the business—not just IT and compliance.

"I think it is difficult to [maintain] an effective cybersecurity program without high-level engagement," Glockner said. "I think it's very difficult to have an effective security program that is just in the IT world. Cybersecurity is an important risk, but it's one of a bunch of risks that an investment advisor faces. In order to be appropriately placed within the enterprise risk-management matrix, firms really need to be thinking about it in the context of all their other risks, and that's difficult to do if you're just approaching it from an IT perspective."

What the SEC Looks For
Glockner's comments come as the SEC has been taking a closer look at registrants' cybersecurity policies. Earlier this year, the commission released the preliminary results of a series of sweep exams it had been conducting looking at that issue at both advisor and broker/dealer practices.

That review is ongoing, and the commission stopped short of offering prescriptive guidance, opting instead to release a set of data points examiners unearthed in their reviews, finding that less than a third of advisor firms have designated a chief information security officer to run point on their cybersecurity efforts, and slightly more than half conduct regular audits of their information security policies.

Glockner emphasized that the SEC is not looking to adopt or enforce stringent technical rules regarding advisors' cybersecurity practices, noting that the commission is primarily interested in ensuring that firms have a "reasonable" set of policies and procedures in place.

"Reasonable security procedures will look different for different registrants," Glockner said.

Appropriate or Effective?
But even with the wide latitude the SEC is extending to firms as they shape their cybersecurity approach, experts stress that any effective policy must remain dynamic, incorporating a thorough and ongoing assessment of risks, employee-training programs, and coordination with the third-party vendors the firm partners with, among other factors.

Gerald Stegmaier, a partner at the law firm Goodwin Procter, argues that advisors' security posture needs to adapt and evolve just like the nature of the cyberthreats they face. Put another way, advisors cannot view cybersecurity as a simple compliance exercise.

"Compliance tends to be very prescriptive—do you have these things in place?" Stegmaier said.

"If the answer is yes, it doesn't necessarily go to the effectiveness of those controls, whether they're effective and whether they're appropriate for your pain points," he said. "The policy is only as good as its execution."

—Kenneth Corbin

Kenneth Corbin is a Financial Planning contributing writer in Washington, DC.