OCIE audits are hardly a pop quiz for registered investment advisors (RIAs). Every year, the SEC releases its priorities for the year. Right there in the 2020 Examination Priorities on page 13, you’ll find “Information Security.” The publication even underlines the importance of the section with a “Did You Know?” callout box, reminding readers how the “OCIE prioritized information security in each of its five examination programs in FY 2019.”
It goes on to spell out exactly what the OCIE will pay attention to during examinations and audits. It’s like when a teacher gave you a study guide in high school – they wanted you to do well. Encryption is the key place to start because it closely ties into the OCIE’s areas of focus for 2020. Here are 5 tips to help you prepare for an OCIE audit.
1. Know the Difference Between Encryption at Rest and Encryption in Transit
When asked if data is encrypted, many RIAs say yes and move on to the next question. But most only have encryption in transit, which is why we always follow up and ask during consultations or initial client meetings if they use encryption at rest as well. Here’s how to tell the two apart.
Encryption in transit
Almost every RIA can tick the box for encryption in transit. The websites they visit probably use https, which indicates as data moves between a user’s computer and the host it is encrypted. It’s more complicated when you start to consider data you enter on other sites with HTTPs. Your name, address and other information are stored on a server, and that data must be encrypted as well.
Encryption at rest
When data reaches an endpoint, whether that’s an online cloud-storage application or Network Attached Storage (NAS) device, does the information remain encrypted? To pass an audit,
encryption when data reaches its home – when it’s “at rest” – is essential.
2. How You Encrypt Data at Rest Can Help Meet OCIE Data Loss Prevention Requirements
The same tools you rely on to protect data at rest will tick another box on your OCIE audit: Data loss prevention. Microsoft has several tools RIAs can use to control information outside the boundaries of their networks and prevent data loss. For example, documents can be classified based on their characteristics. You can say if a document contains a social security number, it can be emailed, but not copied, forwarded or printed. Access can be revoked, conditional or set to expire after a certain amount of time. By applying properties, you retain a high degree of control of documents, even after the document leaves your system.
3. Control Online and Mobile User Access
Wrap access control around mobile and online access to client brokerage account information – like phones, tablets and Chromebooks. We frequently pair Microsoft Intune with Active Directory to assert controls, assign policies and enforce best practices to secure devices.
Intune helps you manage encryption at rest too. Any modern operating system includes the ability to encrypt your hard drive for free; all you have to do is turn on the feature. In Microsoft, you’ll do this through BitLocker and you’ll be given a key. If anything happens and you need to access the drive, you may need the key, which may be needed to unencrypt your data. This can be difficult to manage manually. We recommend using Intune to store and manage the key instead.
4. Don’t Forget About Your Cloud-Based Storage
The data stored in cloud-based storage systems such as Dropbox, OneDrive or Google Docs is not encrypted. This is a huge exposure for your firm and an area of focus for the OCIE. One way to address the issue is by applying properties to documents (see #2 above). Or, you can use a third-party product like Boxcryptor to create encrypted containers within the cloud-based storage platform. Then, anything you place in the folder will be secure.
5. Create an Ongoing Process
Being prepared is not a one-time event. The OCIE wants to see you’ve implemented what they’re looking for, every year. They aren’t interested in seeing you prepared once, 10 years ago, and never thought about audits again. You should be ready to show an audit trail of what you did, discussions held within your organizations and how you reached decisions. The process you use should be repeatable, documented and ongoing.
Get a tailored policy based on your priorities and systems
We work with RIAs to manage and document their processes, secure data across devices and platforms and help them pass OCIE audits. It’s not an off-the-shelf solution – it is customized to our clients’ needs. Contact us now to learn more: (602) 297–2400.