Did you know that the Securities and Exchange Commission (SEC) and the Office of Compliance Inspections and Examinations (OCIE) release an official list of their examination priorities every year? This document highlights what they have identified as critical risks, key trends and organizational priorities they intend to focus on in the coming year as they carry out their mandate to protect investors and improve compliance.
Coming off of 2020, a year in which the term “pivot” gained buzzword status due to the fact that so many organizations had to drastically alter the way they operate, we thought it would be interesting to dig into this year’s list of OCIE examination priorities to see how the events of the past year have impacted it.
In our interview below, we pick the cybersavvy and knowledgeable brain of Michael Cocanower, founder and president of itSynergy, IACCP, and Certified Ethical Hacker, on the latest OCIE priorities.
Q: What is on the OCIE priority list for this year?
A: The number one priority OCIE mentioned this year is a focus on safeguarding customer accounts. They are looking very closely at how registered investment advisors (RIAs) are protecting their customer data.
Q: Does the cloud provide any new vulnerabilities that RIAs should be considering?
A: Every single time an RIA adopts a new cloud technology, they are potentially taking on a new vendor. Sometimes it’s a very obvious technology adoption that requires significant oversight (like with a major CRM implementation), other times not so much. Companies may not give much thought to or even realize that they are, in effect, entering into a new vendor relationship when they are introducing an IT solution and, therefore, may not give it their regular due diligence. For example, do you have OneDrive installed on your computer (which comes by default with most Windows computers)? That’s a cloud service. Dropbox, Zoom, Teams? Those are all cloud services. Cloud service is ubiquitous today.
Q: How should an RIA proceed when taking on a new cloud service provider?
A: A good starting place is to take a full inventory of their existing cloud service vendors and ensure that they are doing their due diligence. An upfront audit should be conducted to understand the vendor policies and to confirm that these vendors are, in fact, following their policies. And then this audit needs to be repeated on an ongoing basis. RIAs have an obligation to properly oversee their IT solution service providers.
Q: Is there anything specific that the OCIE is focusing on as a result of COVID-19?
A: Absolutely. With so many members of the workforce having quickly transitioned to a work-from-home (WFH) model, the OCIE is focusing on managing operational risk as a result of these dispersed employees. In order to enable WFH models, RIAs rapidly adopted cloud-based services in droves over the past year. Which begs the question – Are their internal controls being maintained to the same standards with working from the cloud?
We’ve been seeing a significant uptick in the number of cloud-based vendors at play in any given organization – I refer to it as “cloud vendor sprawl.” Five years ago, there may have been 1 or 2 cloud-based vendors running a core system – now we’re seeing 20 at one company, and they don’t always talk to each other. RIAs need to consider this. The last thing we want to do is create a bunch of islands of information that don’t talk to each other.
Q: What kinds of strategies has itSynergy been using with respect to the increased cloud-based vendor usage?
A: I want to emphasize that we are very pro-cloud, especially in light of the OCIE priorities around protection of customer data. Really think about it. As a small- to mid-sized RIA, there is no way you will ever come close to spending what a company like Microsoft spends on cybersecurity. When the cloud first came out, there was some hesitancy – a feeling like, “I want to be able to touch the server where my data is housed.” I ask, do you want to store your data in the main vault of the Federal Reserve or in the Wells Fargo down the street? Personally, I’ll take the Federal Reserve.
I mentioned the upfront and ongoing audits. These are important. We are also highly focused on identity management and funneling these many authentication channels through one single source that provides a secure validation of identity. This allows an organization to direct their tech tool investment into this one source and make it as robust and protected as possible.
Q: Final advice for an RIA that might be looking for guidance based on the latest round of OCIE priorities?
A: Unless you are a relatively large and sophisticated RIA, chances are you’re not really qualified to assess cloud vendors from a cybersecurity standpoint. It can be really powerful to have us sitting at the table next to you during the assessment process. We can ask the cybersecurity questions that you wouldn’t even know to begin asking, leaving you free to focus on assessing the vendor from a business requirement perspective. Then, in the unfortunate event that the OCIE does come knocking, we have these cybersecurity discussion points documented. We found the vendor processes acceptable for these reasons. Here is what we did to mitigate those processes that we didn’t like, etc. We can be a partner in helping to balance business productivity with business security.