On September 15th, the SEC issued a new Risk Alert that registered broker-dealers and investment advisors need to follow very closely, or face regulatory scrutiny.
This new Alert follows the agency’s April 2014 announcement of audits to identify cybersecurity risks and firm preparedness, as well as the February 2015 release of the summary of the findings from its first round of examinations of broker-dealers and investment advisors.
This Alert by the SEC isn’t just a collection of friendly tips – it provides important guidance around what the OCIE may review during its second round of examinations, and is broken down into 6 key areas: Governance and risk assessment, Access rights and controls, Data loss prevention, Vendor management, Training and Incident response.
According to an article this week in Investment News, R.T. Jones Capital Equities Management in St. Louis agreed to pay a settlement of $75,000 to the SEC for failure to implement a cybersecurity policy, which lead to the exposure of over 100,000 clients personal records. Eugene Goldman, a former SEC prosecutor, and senior member of McDermott Will & Emery warns firms that breaches like these will become more common, “This is the start of a series of similar actions that will be brought this year and next.”
While some firms may be able to comply with regulators by expensive and continuous maintenance of quickly-outdated technology or low-cost, non-specialized IT vendors, they still risk suffering real cyber breaches putting their clients and their firm at risk. Only financial firms that use top-tier services from a full time security and IT partner can keep up with the war on cyber-terrorism.
The SEC’s statement on the R.T. Jones settlement goes even further. “As we see an increasing barrage of cyberattacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall S. Sprung, the co-chair of the agency’s Enforcement Division’s Asset Management Unit. “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
To see if you are ready for your SEC examination, schedule a free security assessment with External IT. We are offering a policy assessment to qualifying firms that includes a pass/fail analysis of your firm's IT infrastructure and IT Compliance practices in key areas outlined by the SEC, followed with recommendations for remediating areas of concern.
About External IT
External IT provides cloud desktop technology built to the meet the exacting requirements of RIAs and broker-dealers. If you would like to learn how cloud technology can help your firm with SEC compliance, click the button below to watch our Cybersecurity Webinar or contact us for more information.