Open the SEC examination priorities memo for 2022, jump to the information IT security and operational resiliency section, and you’ll find plenty of requirements about taking “appropriate measures.”
What you won’t see are details about what counts as an “appropriate measure.”
Our IT security experts fill in the gaps for you
Follow our tips and you’ll easily prove you’ve “taken appropriate measures” regarding information security and operational resiliency.
5 Simple IT Security Tips for RIAs Who Want To Pass SEC Examinations
1. Be a business with a mature plan
The memo devotes an entire paragraph to Business Continuity and Disaster Recovery (BCDR) planning. To really drive the point home to people who just skim the document, there’s even a “Did you know?” box.
What the SEC wants to see in your BCDR plan
Maturity: The SEC has called out BCDR before, so they’re interested in seeing the evolution of your plan.
How you’ll respond to climate change: Auditors want proof that you are prepared to respond to disruptions caused by extreme weather events.
Documentation: Write out your plan so you can hand it to the auditor to review. In your documentation, explain which technologies you’ll use to bring your business back after an incident.
Review your BCDR plan at least once a year with your IT expert
When you do, check that your plan aligns with your business needs and the SEC’s requirements.
Need a New Business Continuity and Disaster Recovery Plan?
2. Prep for the exam by testing your team – Yep, we’re talking about practice
Unlike Allen Iverson’s infamous press conference, we do want to talk about practice – specifically the importance of cybersecurity training for your employees.
Address your weakest link: employees
The SEC knows employees can accidentally dismantle the most advanced security protections with a single click on an email link or attachment. That’s why the memo tells you to “address malicious email activities, such as phishing or account intrusions.”
Set up employee cybersecurity training and send fake phishing emails
Periodically testing your employees with fake phishing emails is the best way to train them to not click on real threats.
Tips for success:
- Test on a quarterly basis.
- Point out mistakes without shaming employees.
- Offer additional training and resources when people click.
- Keep records about your program for the SEC.
3. Watch everything
Continual threat monitoring is a single solution with an incredible ROI regarding SEC priorities. It fully or partially satisfies many of the points from the SEC memo including:
- Preventing account intrusions
- Responding to incidents
- Detecting identity theft red flags
- Managing risk created by a remote workforce
Why 24/7 is a powerhouse solution
You miss 100% of threats you don’t look for. Cybercriminals can sneak past defenses like firewalls and lurk in your system for months before striking. Continual monitoring tools flag suspicious activity so you can detect and respond to incidents, wherever they originate.
Your reputation is on the line too
Cybercriminals don’t work “normal” hours and can strike from any corner of the world. The threat to your client data, money and reputation is always on so your defenses can never turn off.
You can automate detection but not review
Tools monitoring your environment all day, every day, flag a lot of activity. The software does not distinguish between what is harmless and immediate threats. Only trained cybersecurity professionals have the skillset to sort flagged activity and act when necessary.
4. Stop relying on passwords
The SEC memo tells you to prevent unauthorized access. Your chance of success is low if you only use passwords to secure accounts.
Still don’t have Multifactor Authentication (MFA)? What are you waiting for?
Requiring employees to verify their identity through a unique code that only they receive just makes sense. It’s not expensive, stops cyberattacks and satisfies SEC requirements. If you still don’t have this solution, call me right now: 602.806.8025.
5. Secure the new “workplace”
Point 6 in the memo tells you to “manage operational risk as a result of a dispersed workforce in a work-from-home environment.” Some of this is accomplished through MFA and continual monitoring, but that is not enough.
A distributed workforce scatters employees – and risk
Any device used by remote workers to connect to your network can be weaponized by cybercriminals. To stop attacks, get an Endpoint Detection and Response solution that is monitored 24/7/365 by cybersecurity professionals. Once set up, you will have the power to:
- Monitor for behavior that matches tactics used by cybercriminals and stop it
- Prevent access to USB and other removable storage devices
- Get alerts when large amounts of data leave your environment
Long Time Since Your Last Exam? The SEC Will Call Soon
After a few years go by without an audit, it’s easy to slip into complacency and think you’ll never hear from the SEC again. That could be a costly mistake for 2 reasons.
1. The SEC is back to pre-COVID levels for volume of exams
In fiscal year 2021, audits recovered from their pandemic dip. There was a 3% increase in the volume of audits over the previous year.
2. AI determines who to audit
The SEC sets a target to audit 15% of all RIAs every year. All things being equal, that would work out to an examination every 6 to 7 years.
Except the artificial intelligence that determines whom to audit doesn’t weigh all factors equally.
Outside the agency, no one knows exactly how the AI works. But we do know a key factor is length of time since last exam. The longer it has been since your last audit, the more likely you are to be selected.
IT Security and Compliance Are Overwhelming
Too many RIAs skip the IT-related aspects of compliance because they don’t have time to figure out which solutions satisfy requirements.
We designed a solution for RIAs
With our turnkey IT compliance solution, you don’t have to take on the burden of proving you’ve “taken appropriate measures” regarding information security and operational resiliency.
We do it for you
The solution is the easiest way to:
- Put in place the right documentation for the SEC
- Lock down cybersecurity
- Track changes, updates, and demonstrate continual improvement