By Jason Elmer, CEO at Drawbridge
As the calendar turns on a fresh fiscal year, the SEC Division of Examinations has published its list of 2022 priorities. Since 2013, releasing a list of examination priorities has been an annual tradition for the Division – a move designed to improve transparency among investors and registrants, flagging areas of increased risk to ensure firms can do all they can to protect themselves.
And in 2022, there’s a great deal of risk.
The SEC’s 2022 priorities
Some of the SEC’s key priorities this year cover areas such as private funds, Environmental, Social and Governance (ESG) Investing, standards of conduct, and emerging technologies such as crypto-assets. For cybersecurity teams, it’s the SEC’s focus on information security and operational resiliency that demands immediate attention.
This year, the SEC Division of Examinations will be particularly focusing on broker-dealers’, RIAs’, and other registrants’ measures to prevent interruptions to mission-critical services, as well as protecting investor information, records and assets.
The Division states it will also continue to review whether firms have taken ‘appropriate measures’ to safeguard customer accounts and prevent account intrusions by ensuring the correct steps are in place to verify an investor’s identity. It will also examine whether firms are overseeing vendors and service providers, addressing malicious email activities, identifying red flags related to identity theft, and managing operational risk for those working from home. As such, the Division will be paying particular attention to compliance with Regulations S-P and S-ID, where applicable.
With the assaults on Colonial Pipeline, JBS Foods and CNA Financial, among others, 2021 was a lesson in just how much havoc a ransomware attack can wreak. And as the number of cyber-attacks show now sign of diminishing, the Division’s 2022 priorities make it clear that firms must make operational resiliency and keeping customer data safe a core priority in 2022.
But it’s not just about managing risk – it’s also about recovery. The Division will also be reviewing business continuity and disaster recovery plans of registrants, paying particular attention to the impact of climate risk and ‘substantial disruptions’ to the flow of business operations.
Best practice for compliance
With security and compliance under the Division’s watchful eye, firms must reexamine their security infrastructure and ensure they’re meeting all compliance requirements – placing a particular focus on disaster recovery plans as flagged by the SEC.
Businesses must be realistic about the security risks they face and how to best mitigate them. They need to implement a clear recovery time objective and recovery point objective. They need to ensure that everyone knows their roles in the event of an incident and that there is a clear chain of command. And as the SEC noted, the shift to hybrid and remote working – which has stretched company networks and added extra endpoints – has made firms more vulnerable to cyber attack. As such, all security procedures must be adapted to reflect the changing landscape and ensure that even firms with a dispersed workforce will remain secure.
Real-time security
In today’s fast paced environment, one of the most efficient ways to mitigate risk is through real-time monitoring of networks, third party providers,and endpoints, so malicious activity is flagged and addressed as soon as it arises. Point in time assessments simply do not cut it anymore – by the time malicious activity is detected, cybercriminals may have already stolen highly sensitive information and done irreparable damage.
Of course, it’s not just devices that introduce vulnerability – it’s the people who use them. Employees can be the weakest link in a company’s security strategy, while also playing a major role in its cyber defense. Employee education is a crucial part of protecting against phishing attacks and account intrusions. With attacks designed to exploit people’s ignorance and naivety, regular cybersecurity training to ensure all employees are security-savvy should be a priority across all departments.
Further, it would also be wise for firms to review their legacy systems and make necessary updates – keeping in mind that the infamous Colonial Pipeline attack was launched by breaching a legacy VPN, protected by a single password.
Risk may be at an all-time high in 2022, but that doesn’t mean firms are powerless. By reviewing current security protocols, by putting new strategies in place, and by partnering with the right software provider, firms will be better placed to evaluate and meet regulatory obligations. After all, staying on top of security and operational resiliency best practice is not just about matching the SEC’s expectations, it’s about providing the best protection and service to clients. Regardless of the Examination Priorities, this should always be the top priority for business.
About the Author
Jason Elmer brings more than 20 years of cybersecurity and IT infrastructure experience to his role at Drawbridge. As Founder and CEO, he is responsible for driving the firm’s day-to-day operations, expanding its geographic and technology footprint, and leading the company for global growth and scale. His management background includes multiple executive leadership roles and extensive experience delivering business critical FinTech software and solutions that meet the specialized needs of hedge funds and private equity managers.
Previously, Jason served as a Managing Director at Duff & Phelps (now Kroll, LLC), where he founded and led the Cybersecurity Services team, working with alternative investment managers across the globe to help them ensure compliance with appropriate regulatory bodies while meeting investor demands. Prior to that, he was a Partner at Abacus Group with a focus on providing cybersecurity, hosted infrastructure and disaster recovery services for alternative investment firms. Throughout his career, Jason has been at the forefront of business, technology, and customer service innovation across multiple facets of the global financial services industry.
Jason holds a BS in finance from the Fordham University College of Business Administration and is an active member of the Young Presidents’ Organization (YPO).
Jason can be reached online at http://www.drawbridgeco.com
Source: www.cyberdefensemagazine.com