Company 
Team 
Local Government Partners 
Case Study
Company News 
Team Member Spotlight 
Managed IT Services
Cloud Hosting 
Co-Managed %201.svg){kind=icon}
Managed VOIP 
Managed Security Services 
Data Backup + Disaster Recovery 
Security Assessment 
CMMC Compliance 
SharePoint
Power BI
Web Design + Hosting
Application Development
Businesses 
Municipalities 
Local Government Services 
Healthcare
Manufacturing
Aerospace and Defense
Case Studies
Guides
News
Events
Municipalities
Healthcare
Managed IT Services
Compliance
Cybersecurity
If the Securities and Exchange Commission (SEC) walked into your office for an audit today, would your wealth management firm be prepared? In addition to longstanding regulatory standards, in recent years the SEC has added more cybersecurity requirements to “protect investors and maintain orderly markets,” according to SEC Chair Gary Gensler in comments on proposed updates.
What will change with the proposed new rules? While the comment period ended recently and the rules have not yet been finalized, a few changes are likely to take effect. According to the SEC, the proposed rules would require wealth management firms to:
- “adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors.”
- “report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the Commission on a new confidential form.”
- “publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years in their brochures and registration statements”
- “improve the availability of cybersecurity-related information and help facilitate the Commission’s inspection and enforcement capabilities.”
How can you ensure that your firm is prepared? In this article, we’ll walk through the essentials to get and stay ready for audits while protecting your firm and your clients’ sensitive information.
Overview: Basic SEC Compliance in 2023
Unfortunately, the SEC does not currently provide a specific cybersecurity compliance checklist (making compliance even more challenging). However, they have issued guidance around cybersecurity that applies to wealth management firms, including nine key focus areas.
Risk assessment
Simply put, risk assessment is the process of identifying and evaluating existing risks to a company’s systems and sensitive information. To comply with SEC guidelines, organizations must have a clear understanding of the existing and emerging threats to sensitive information. Expert risk assessment services ensure regulatory compliance by identifying vulnerabilities, delivering concrete, measurable reports on current risk levels, and making actionable recommendations for risk mitigation.
Governance
Proper governance ensures that your wealth management firm has a framework in place to manage cybersecurity risks. Good governance will include strategic planning to help your organization navigate the regulatory requirements and recommendations that impact your business, including oversight by senior management and the board of directors.
Access controls
Access control processes ensure that wealth management firms are able to manage who can access internal data and resources. A solid access control strategy includes user authentication through measures like enforcing strong passwords and implementing multi-factor authentication and/or biometric authentication tools. These measures help ensure that users are who they say they are, but authentication is only part of the puzzle. Effective access control will also limit the amount of access users have, thereby mitigating risk if a bad actor gains access to a user’s account. Role-based access controls ensure that, even in the case of a breach, the intruder would only gain access to part of your system.
Data loss prevention and recovery
From scheduling regular system backups to taking steps to avoid data breaches, data loss prevention is necessary to protect sensitive information from loss or theft. Recommended data loss prevention measures include strategies and tactics to secure on-premises and cloud data storage solutions, encrypt sensitive information, and restrict access to protected information. In addition to simply preventing data loss, organizations should also implement strategies around data recovery. With an effective disaster recovery plan that includes regular offsite backups, firms can significantly reduce operational disruptions in the case of an outage.
Incident response
While your wealth management firm should consistently work to counter the latest threats, part of risk mitigation is having a plan to reduce the negative impacts of a cybersecurity incident. In addition to preventing and detecting attacks, you also need to create a strategy around containment, eradication, and recovery. That includes data gathering, identification and neutralization of the attacker(s), and resumption of operations. Post-incident activity should involve post-mortem meetings with all appropriate stakeholders to cover the chain of events leading up to detection, incident response team performance, and suggestions to improve prevention and response strategies in the future.
Third-party service provider management
Your network is only as secure as your least-secure vendor or partner. To comply with SEC guidelines, wealth management firms must have measures in place to ensure that their third-party service providers, vendors, and partners with access to their network have appropriate security controls in place. Without the right strategy in this area, cyber criminals may use a third-party vendor’s network as a back door into your system.
With all that in mind, not every vendor or partner subjects you to a high level of risk. Vendors with little or no access to sensitive information do not present the same risk as those more integrated into your network. Effectively mitigating risk around third-party service providers means having a strategy and resources in place to measure, manage, and monitor the risk presented by these partnerships. Vetting every service provider and vendor for vulnerabilities can be a massive undertaking. Fortunately, with the right risk management partner, you can rely on experts to perform due diligence and identify vulnerabilities around prospective and existing vendors.
Employee training
All too often, bad actors use unwitting employees to gain access to wealth management firms’ sensitive information. However, if your employees have training on best practices to enhance security and learn how to identify common attacks, they can be an incredibly valuable defensive asset. Employee training can not only help you meet SEC guidelines but also significantly enhance your firm’s security to better protect your clients’ information.
Continuous monitoring
Wealth management firms must constantly monitor their systems for vulnerabilities, threats, and signs of malicious activity across all network endpoints. Continuous monitoring should leverage several important tools and services.
- Security scanning helps firms identify vulnerabilities and unanticipated file changes through ongoing network scans.
- Intrusion detection system (IDS) software provides early warnings and alerts of suspicious activity in your system.
- Endpoint detection and response (EDR) software detects and responds to threats like malware and ransomware by monitoring end-user devices.
- Security information and event management (SIEM) facilitates compliance with audits through real-time monitoring and analysis of events in your network in combination with tracking, logging, and reporting on security data.
With a holistic approach to continuous monitoring, organizations can often catch vulnerabilities before they become breaches and ensure that they get early warnings of security incidents and threats. Further, 24/7 monitoring of your firm’s server infrastructure can also help you reduce the risk of non-cybersecurity-related outages that can lead to data loss and operational disruptions.
Reporting
Failure to report cyber incidents and vulnerabilities to the appropriate regulatory authorities can have catastrophic impacts for your firm—legally, financially, and reputationally. Unfortunately, the simple act of reporting is never actually simple. Navigating through the complexities of reporting to regulatory bodies can be a nightmare without expert assistance.
In addition to compliance considerations, your firm must be able to communicate both technical and non-technical reports around risk mitigation, incident response plans, and incident post-mortems to boards, regulatory bodies, and other key decision makers. A partner with experience and expertise in security reporting can help you communicate actionable information to both technical and non-technical audiences.
Contact us today to ensure that your firm has a cybersecurity strategy in place and that you’ll always be prepared when the SEC knocks on your door.