Advisers offer tips for surviving a cybersecurity exam

Firms shouldn't wait for an inspection notice from the SEC to begin fortifying their online systems.
OCT 26, 2016
Investment advisers who have been through a Securities and Exchange Commission cybersecurity examination warned other advisers Tuesday not to wait for an inspection notice from the agency to begin fortifying their online systems. “It's like taking a pop quiz in school without having been to class,” Robert Ross, chief compliance officer at Sontag Advisory, said at the Schwab Impact conference in San Diego. “You have to assume they're coming soon.” Trevor Hicks, director of technology at Wetherby Asset Management, gave the same admonition about getting caught flat-footed. “You can't start preparing soon enough,” Mr. Hicks said. The two advisers participated in a panel and media availability at the conference to highlight what Schwab says is a growing concern among advisers: regulatory scrutiny of cybersecurity. “This is the No. 1 topic on advisers' minds,” said Michelle Thetford, vice president for adviser services, client strategic solutions for Charles Schwab & Co. Mr. Hicks recommended that advisers look carefully at the SEC's 2014 cybersecurity initiative, which, along with a similar one the next year, provided guidance on how the agency would assess preparedness. The agency sent a 37-point document request in advance of the assessment of Mr. Hicks' firm. Six examiners conducted the inspection over the course of one day. For Mr. Ross' firm, the examiners spent five days onsite. It also was the subject of a regular examination around the same time. Information technology staff should participate in a cyberexam, because SEC personnel are rigorous, according to Mr. Hicks. “I was impressed by how knowledgeable they were about how technology works,” he said. The agency basically wants firms to know what kind of sensitive data they have, where it's located and who has access to it, Mr. Hicks said. They also want to see in black-and-white how a firm approaches cybersecurity and responds to breaches. “They were very hung up on written policies and procedures,” Mr. Ross said. Schwab, which provides custody and other services to 7,000 independent investment advisers, offers an online Cybersecurity Resource Center. Advisers can turn to a custodian like Schwab for help with online protections or to a consultant, but they should be wary of pre-packaged products, said Michelle Jacko, chief executive of Core Compliance and Legal Services. “That's where we're seeing deficiency letters,” she said. Firms of all sizes must be able to show they can identify a cyberproblem, mitigate it and conduct ongoing monitoring. If they turn to a third-party provider, they must provide due diligence. “Small firms are held to the same standards,” Ms. Jacko said. The SEC has put cybersecurity on its exam priority list for the last two years and will likely keep it on the roster. “The regulators have high expectations for us to protect client assets,” Ms. Thetford said.

Latest News

SEC bars ex-broker who sold clients phony private equity fund
SEC bars ex-broker who sold clients phony private equity fund

Rajesh Markan earlier this year pleaded guilty to one count of criminal fraud related to his sale of fake investments to 10 clients totaling $2.9 million.

The key to attracting and retaining the next generation of advisors? Client-focused training
The key to attracting and retaining the next generation of advisors? Client-focused training

From building trust to steering through emotions and responding to client challenges, new advisors need human skills to shape the future of the advice industry.

Chuck Roberts, ex-star at Stifel, barred from the securities industry
Chuck Roberts, ex-star at Stifel, barred from the securities industry

"The outcome is correct, but it's disappointing that FINRA had ample opportunity to investigate the merits of clients' allegations in these claims, including the testimony in the three investor arbitrations with hearings," Jeff Erez, a plaintiff's attorney representing a large portion of the Stifel clients, said.

SEC to weigh ‘innovation exception’ tied to crypto, Atkins says
SEC to weigh ‘innovation exception’ tied to crypto, Atkins says

Chair also praised the passage of stablecoin legislation this week.

Brooklyn-based Maridea snaps up former LPL affiliate to expand in the Midwest
Brooklyn-based Maridea snaps up former LPL affiliate to expand in the Midwest

Maridea Wealth Management's deal in Chicago, Illinois is its first after securing a strategic investment in April.

SPONSORED How advisors can build for high-net-worth complexity

Orion's Tom Wilson on delivering coordinated, high-touch service in a world where returns alone no longer set you apart.

SPONSORED RILAs bring stability, growth during volatile markets

Barely a decade old, registered index-linked annuities have quickly surged in popularity, thanks to their unique blend of protection and growth potential—an appealing option for investors looking to chart a steadier course through today's choppy market waters, says Myles Lambert, Brighthouse Financial.