As I discussed in my last blog concerning wealth management firms, the Securities and Exchange Commission (SEC) and their Office of Compliance Inspections and Examinations (OCIE) has placed a strong emphasis on information security and privacy practices. As 2020 began, the focus of OCIE examinations seemed to be concentrating on cyber governance, cyber resilience, privacy and data security, and outsourcing risks. Although these considerations still exist, the advent of the COVID-19 crisis has prompted the SEC to augment their thinking on current risks for brokers/dealers and investment advisors. Pursuant to this effort, they released a Risk Alert entitled Select COVID-19 Compliance Risks and Considerations for Brokers-Dealers and Investment Advisers (https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf). The OCIE’s observations and recommendations have been grouped into a number of categories. These are discussed below:
Protection of Investor Assets: The OCIE is encouraging firms to review their operating practices surrounding collecting and processing investor checks and transfer requests to ensure social distancing practices and remote working are not impacting the security of these practices. As well as updating policies to reflect these changes, the OCIE is recommending implementing additional steps to validate the identity of investors and the authenticity of their disbursement instructions.
Supervision of Personnel: The OCIE is recommending that firms should review and adjust their personnel supervision policies and procedures to ensure that the current situation does not seriously impact brokers/dealers’ ability to provide sound advice in a volatile market, and to communicate with their customers effectively.
Fees, Expenses and Financial Transactions: Recent market volatility has put pressure on both investors and wealth management firms. It is thought that this increased pressure may have increased the potential for misconduct among brokers/dealers. Because of this, OCIE recommends that firms should review and adjust their policies and procedures surrounding fees and expenses.
Investment Fraud: Volatile times and business situations can increase the risk of investment fraud through fraudulent offerings. The OCIE recommends that firms should be aware of these risks and take them into consideration when conducting due diligence reviews on investments to ensure that said investments are actually in the best interest of the investors. They solicit firms and investors that suspect fraud to contact the SEC.
Business Continuity: The OCIE is recommending that firms should consider their ability to operate critical business functions during the emergency situation and review their business continuity plans. They cite the fact that working from remote sites could raise compliance issues. They specifically state that compliance policies and procedures used under normal operating conditions may need to be modified to address risks and conflicts of interest present in remote operations. They also state that security and support for facilities and remote sites may need to be modified or enhanced.
Protection of Sensitive Information: The current emergency has forced firms to employ video conferencing and other electronic means to communicate while working remotely. Often personnel are using personal devices and web-based applications as a part of this process. The OCIE points out that employing these means increases the risk that investor PII or private company information may be compromised. These practices also increase email/phone phishing risks. To help fight this, the OCIE recommends that firms enhance their identity protection practices, provide additional training for users and investors, conduct heightened reviews of access rights and privileges, use encrypted communications, ensure patching and updating is well undertaken, consider enhancements such as multi-factor authentication, and address risk issues related to partners and third parties.
MSI points out that the best way to ensure that all your information security practices are effective and compliant with guidance such as that listed above is to conduct regular security reviews and testing. These include risk assessments, application security assessments, network vulnerability and penetration testing and other security testing such as Wi-Fi security testing and social engineering exercises.