SEC Warns Firm Leaders on Cybersecurity Policies
Effective security against cyberattacks requires a strong governance approach firm-wide, SEC official says.
This Practice Management article is intended for financial advisors only (registered representatives of broker/dealers or associated persons of Registered Investment Advisors).
As advisors continue to develop policies and procedures for protecting their systems and data from cyberattacks, they need to establish security as a firm-wide priority, a top Securities and Exchange Commission (SEC) official warns.
That demands "an approach to security that is meaningful and that is more than just a check-the-box approach, which really requires a strong governance component," said David Glockner, director of the SEC's Chicago regional office.
Glockner, who addressed an audience at the Investment Adviser Association's annual compliance conference in March, touted the importance of senior management at firms establishing cybersecurity as a priority for all units of the business—not just IT and compliance.
"I think it is difficult to [maintain] an effective cybersecurity program without high-level engagement," Glockner said. "I think it's very difficult to have an effective security program that is just in the IT world. Cybersecurity is an important risk, but it's one of a bunch of risks that an investment advisor faces. In order to be appropriately placed within the enterprise risk-management matrix, firms really need to be thinking about it in the context of all their other risks, and that's difficult to do if you're just approaching it from an IT perspective."
What the SEC Looks For
Glockner's comments come as the SEC has been taking a closer look at registrants' cybersecurity policies. Earlier this year, the commission released the preliminary results of a series of sweep exams it had been conducting looking at that issue at both advisor and broker/dealer practices.
That review is ongoing, and the commission stopped short of offering prescriptive guidance, opting instead to release a set of data points examiners unearthed in their reviews, finding that less than a third of advisor firms have designated a chief information security officer to run point on their cybersecurity efforts, and slightly more than half conduct regular audits of their information security policies.
Glockner emphasized that the SEC is not looking to adopt or enforce stringent technical rules regarding advisors' cybersecurity practices, noting that the commission is primarily interested in ensuring that firms have a "reasonable" set of policies and procedures in place.
"Reasonable security procedures will look different for different registrants," Glockner said.
Appropriate or Effective?
But even with the wide latitude the SEC is extending to firms as they shape their cybersecurity approach, experts stress that any effective policy must remain dynamic, incorporating a thorough and ongoing assessment of risks, employee-training programs, and coordination with the third-party vendors the firm partners with, among other factors.
Gerald Stegmaier, a partner at the law firm Goodwin Procter, argues that advisors' security posture needs to adapt and evolve just like the nature of the cyberthreats they face. Put another way, advisors cannot view cybersecurity as a simple compliance exercise.
"Compliance tends to be very prescriptive—do you have these things in place?" Stegmaier said.
"If the answer is yes, it doesn't necessarily go to the effectiveness of those controls, whether they're effective and whether they're appropriate for your pain points," he said. "The policy is only as good as its execution."
Kenneth Corbin is a Financial Planning contributing writer in Washington, DC.
Practice ManagementHow RIAs Can Recognize the Unique Needs of Younger ClientsAugust 7, 2019Younger investors tend to have limited assets, but that doesn’t mean their advice needs are simple.Next Page
Practice ManagementWomen Are Not a Niche: Why Financial Advisors Must Look Beyond GenderMay 30, 2019It’s vital that planners recognize how women’s planning needs are different from men’s—while being careful not to lump them into a singular group.Next Page
Practice ManagementHow To Accurately Determine the Value of Your RIAApril 2, 2019Gauging the valuation of your business is a way of knowing the overall health of the firm. It can be a humbling process.Next Page
The information provided is for general information purposes only and is not intended to be legal, tax or investment advice. The information contained herein has been provided by sources other than Lord Abbett which are believed to be reliable; however Lord Abbett cannot guarantee the accuracy or completeness of this information.