Cybersecurity for RIA firms

Cybersecurity for RIA firms – The Office of Compliance Inspections and Examinations (OCIE) recently announced the results of its second cybersecurity examination initiative for regulated entities, including RIA firms.  This initiative followed onto the SEC’s 2014 cybersecurity examination initiative except that it involved more validation and testing of procedures and controls around cybersecurity preparedness.  Cybersecurity for RIA firms has been an important aspect of a firm’s policy and procedures in an effort to protect client information.

OCIE identified six broad elements that it recommends regulated entities, such as RIA firms, consider adopting as part of their compliance programs:

  1. Maintenance of an inventory of data, information and vendors: A complete inventory of data and information and classification of the related risks and vulnerabilities.
  2. Detailed policies and procedures for penetration testing, security monitoring, system auditing, access rights and data breach reporting: Specific documentation addressing the scope, methodology, timing and responsible parties for an entity’s cybersecurity activities.
  3. Maintenance of schedules and processes for activities such as vulnerability scanning and patch management: Defined schedules and prioritization for activities related to testing and risk-assessing patches and identifying system vulnerabilities.
  4. Effective access controls and access monitoring: Implementation of acceptable use and mobile device policies, review of third-party vendor logs and very prompt termination of former employee systems access.
  5. Mandatory enterprise-wide information security training: Training covering cybersecurity for RIA firms for all employees at on-boarding and periodically thereafter.
  6. Engagement of senior management in the review and approval of cyber-related policies and procedures.