SEC exam sweep reveals adviser cyber-efforts

Most investment advisers and brokers are ‎assessing electronic security at their firms, but their approach and frequency vary widely, according to preliminary observations from a Securities and Exchange Commission exam sweep. The agency has reviewed cybersecurity policies at 50 investment advisers and 50 brokerages, according to Jane Jarcho, national associate director of the SEC's investment adviser and investment company examination program. The "vast majority" of firms conduct "firmwide inventories” of electronic resources (hardware, software, data), maintain written security policies and conduct periodic risk assessments, Ms. Jarcho said. "Although most do it, it really varies in how they do it and how frequently they do it," Ms. Jarcho told state regulators on Monday at the North American Securities Administrators Association annual conference in Indianapolis. A majority of firms prioritize and protect electronic resources based on their sensitivity and business value, Ms. Jarcho said. But she added that small and midsize firms tend not to do this. Where firms may be falling short is ‎in getting to know their clients' online habits. Ms. Jarcho said more than one-third of advisers with retail clients do not assess their login capabilities and practices. Ms. Jarcho cautioned that her observations were preliminary. "We are really just now starting to analyze the results," she said. Findings will be released through speeches by agency officials in coming months, as well as in an investor risk alert. Advisers don't need to be warned by the SEC that storing client information in the cloud is a risky venture, said Shane Hansen, a partner at Warner Norcross + Judd. "There's lightning in them thar clouds, and things may not necessarily go well," Mr. Hansen said at the NASAA conference. "‎Never put anything in an iCloud that you wouldn't want other people seeing." Advisers must stay aware of evolving technology and adjust their cyb‎ersecurity approaches accordingly. "Advisers have a responsibility to be looking and changing policies as this world of cybersecurity changes," Ms. Jarcho said.