Investment advisers who have been through a Securities and Exchange Commission cybersecurity examination warned other advisers Tuesday not to wait for an inspection notice from the agency to begin fortifying their online systems.
“It's like taking a pop quiz in school without having been to class,” Robert Ross, chief compliance officer at Sontag Advisory, said at the
Schwab Impact conference in San Diego. “You have to assume they're coming soon.”
Trevor Hicks, director of technology at Wetherby Asset Management, gave the same admonition about getting caught flat-footed.
“You can't start preparing soon enough,” Mr. Hicks said.
The two advisers participated in a panel and media availability at the conference to highlight what Schwab says is a growing concern among advisers: regulatory scrutiny of cybersecurity.
“This is the No. 1 topic on advisers' minds,” said Michelle Thetford, vice president for adviser services, client strategic solutions for Charles Schwab & Co.
Mr. Hicks recommended that advisers look carefully at the
SEC's 2014 cybersecurity initiative, which, along with a
similar one the next year, provided guidance on how the agency would assess preparedness.
The agency sent a 37-point document request in advance of the assessment of Mr. Hicks' firm. Six examiners conducted the inspection over the course of one day.
For Mr. Ross' firm, the examiners spent five days onsite. It also was the subject of a regular examination around the same time.
Information technology staff should participate in a cyberexam, because SEC personnel are rigorous, according to Mr. Hicks.
“I was impressed by how knowledgeable they were about how technology works,” he said.
The agency basically wants firms to know what kind of sensitive data they have, where it's located and who has access to it, Mr. Hicks said.
They also want to see in black-and-white how a firm approaches cybersecurity and responds to breaches.
“They were very hung up on written policies and procedures,” Mr. Ross said.
Schwab, which provides custody and other services to 7,000 independent investment advisers, offers an online
Cybersecurity Resource Center.
Advisers can turn to a custodian like Schwab for help with online protections or to a consultant, but they should be wary of pre-packaged products, said Michelle Jacko, chief executive of Core Compliance and Legal Services.
“That's where we're seeing deficiency letters,” she said.
Firms of all sizes must be able to show they can identify a cyberproblem, mitigate it and conduct ongoing monitoring. If they turn to a third-party provider, they must provide due diligence.
“Small firms are held to the same standards,” Ms. Jacko said.
The SEC has put cybersecurity on its exam priority list for the last two years and will likely keep it on the roster.
“The regulators have high expectations for us to protect client assets,” Ms. Thetford said.
