Regulator Highlights Gaps Between Investment Manager Cyber Policy Documents - And Managers’ Actual Cyber Controls And Procedures.
On August 7th, the SEC’s OCIE released a Risk Alert outlining findings and observations from their Cybersecurity 2 Initiative – a follow-up from the initial 2014 examination of the preparedness and measures in place among firms in the asset management sphere.
The overall assessment was positive – from a sample size of 75 broker-dealers, investment advisors, and investment companies, an increased posture of cybersecurity preparedness was observed in comparison to the original 2014 Initiative. This finding held, even when accounting for more validation and more involved testing of procedures and controls surrounding cybersecurity preparedness in this year’s examination.
From the perspective of investors conducting cyber due diligence on asset managers, however, the SEC’s findings raise three major issues.
The first two pertain directly to cybersecurity policies and procedures. While the SEC found that“all broker-dealers and funds, and nearly all advisers maintained written policies and procedures addressing cyber-related protection of customer/shareholder records and information” – the SEC first noted that:
“Policies and procedures were not reasonably tailored because they provided employees with only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague, as they did not articulate procedures for implementing policies”
When conducting due diligence, therefore, most investment managers will “tick the box” and confirm that they have a written cybersecurity policy. However – just like managers who use an “off the shelf” compliance manual - documentation which is vague and generic is of limited value. Cyber policies, just like any other operational document within an asset management firm, should be clear, explicit and relevant. Policies should be specifically crafted per organization and tailored to day-to-day operations. A key test for procedural documentation is to assess whether it is detailed enough to provide clear instruction to a new employee on their first day of work.
Secondly, the SEC stated that:
“Firms did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices.”
For investors, the SEC’s observation follows from their finding that many cyber policies are vague: if policies don’t provide specific, relevant examples of acceptable vs. prohibited behavior, or if procedures provide staff with contradictory instructions, then these documents don’t serve a useful purpose. Employees cannot be expected to adhere to procedures which are vague, unclear, or outright contradictory.
Secondly, while there may always be an ‘aspirational’ quality to an organization’s policies, these types of documents are not a wish list, and must reflect reality. Procedures are an instructional manual; policies are a statement of a company’s values and positioning. If documented procedures don’t match a firm’s actual practice, either the procedure must be reviewed and revised, or better oversight, training, and enforcement of personnel necessary to ensure adherence.
Again, investment managers may “tick the box” by making a cyber policy available during the due diligence process. However, absent more detailed cybersecurity diligence, it may be difficult for investors to confirm that the manager is actually following written procedures in practice. As such, cyber risk may not be adequately mitigated.
Finally, SEC staff observed
“[…] issues among firms that did not appear to adequately conduct system maintenance, such as the installation of software patches to address security vulnerabilities and other operational safeguards to protect customer records and information.”
In the wake of high-visibility ransomware outbreaks like the WannaCry worm, negligence in performing system maintenance and software patching raises serious concerns. The SEC report cites examples such as stale risk assessments and a lack of remediation efforts in the face of identified gaps.
For investors, once more, the SEC suggests that investment managers may “talk the talk” but not yet “walk the walk” in terms of actual implementation of effective cyber controls.
All three points of concern raised in this alert can be traced back to the need to keep pushing to truly institutionalize and commit to a strong security culture within the asset management community. Information Security is a dynamic arena, and there are no one-time or static fixes to address evolving security threats.
The full text of the Risk Alert may be viewed here.