When it comes to newly heightened US regulatory oversight of cybersecurity risk, compliance directors face risks of their own.
They will be on the front line when examiners from the Securities and Exchange Commission come calling to evaluate their cybersecurity programs. But to even answer the SEC’s questions, not to mention have an acceptable working program to discuss, they will need to befriend their IT departments to ensure they meet the requirements and trust they know what they are doing.
If the examiners are not satisfied, compliance managers and their financial firms will have to pay the price. At a minimum, a more thorough exam. Worse case, penalties and reputational damage.
It’s a scenario, which has compliance executives worried. “We appreciate the SEC’s clarification on what might be asked during exams but it is a double-edge for us,” one compliance director at a US fund management firm tells FinOps Report. “The bar has been raised very high, and we’re not the ones in control, practically speaking.”
The SEC now expects a lot more information about just how fund managers and broker-dealers are preparing to mitigate cybersecurity risks and what they will do if a data breach happens. On April 15, the regulatory watchdog’s Office of Compliance, Inspections and Examinations (OCIE) issued a risk alert discussing the planned sweep exams of 50 buy and sell-side firms to determine cybersecurity readiness and gather information on recent experiences. As part of the risk alert, the OCIE attached a seven-page sample document request consisting of 28 questions to determine just how prepared a firm is to address their cybersecurity risks.
Compliance directors aren’t likely to have all the necessary information at their fingertips, but they know what they need to get — and fast. They will have to hope it is accurate and detailed enough to satisfy the examiners.
“Compliance specialists will have to lean more heavily on their technology departments for the answers and work together with units which may have operated far more independently beforehand,” says Janaya Moscony, president of SEC Compliance Consultants, a New York regulatory compliance specialist firm. “Depending on the size of the firm and the historic closeness between the compliance and IT departments, it could be a difficult challenge.”
Compliance and IT departments aren’t natural best buddies. In fact, it’s common for compliance specialists to complain that their IT peers aren’t working fast enough to meet regulatory requirements or don’t understand them well enough. IT departments counter that they are already overworked and have to do more with less — fewer staff and often tighter cost controls.
“We are often at odds [with compliance] because of budgetary constraints and micro-managing multiple requests,” acknowledges an IT manager at an East Coast fund management shop. “We can be blamed for potential shortcomings in complying with regulatory requirements if an IT installation is not completed, when we weren’t aware it was that necessary or even on the radar.”
The SEC’s announcement came as no surprise to compliance specialists given similar edicts by the broker-dealer self-regulatory authority Financial Industry Regulatory Authority (FINRA), the Commodity Futures Trading Commission (CFTC), and the SEC’s hint in January of the importance of cybersecurity in annual exams. The SEC also held a roundtable in March focusing on cybersecurity where chairwoman Mary Jo White emphasized the need for stronger partnerships between the government and private sector to address cyberthreats.
Probing Questions
What startled some US compliance specialists was the level of detail the SEC wants them to disclose on cybersecurity governance, identification and assessment of cybersecurity risks, protection of confidential information, risks affiliated with customer access and fund transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.
However knowledgeable compliance experts may be about regulatory requirements, the SEC is taking them out of their comfort zone in asking them to be IT experts as well. “The OIEC is telling compliance professionals that the sample document request is intended to empower them with questions and tools they can use,” says Sarah Wolff, a partner in the securities litigation and enforcement practice of Reed Smith in Chicago. “The questions are very detailed and will require compliance professionals to do a self-assessment of their existing cybersecurity programs.”
Of course, that presumes they have a cybersecurity program. If they don’t, they need to get one right away. And that means getting straight answers from their technology departments, so they can understand just what is being done and what more needs to be accomplished. The more knowledgeable the compliance specialists are, the more promptly they can address the SEC’s questions. No one wants an SEC examiner overstaying his or her welcome.
“Chief compliance officers need to ask the OIEC’s questions before SEC examiners visit and inquire. Firms will go a long way in taking a proactive approach,” says Moscony. “Staff will feel more confident in responding during an actual exam and examiners will appreciate a firm that takes its guidance and applies it. Often this can ultimately lead to a much easier exam for registrants.”
Building confidence includes making sure that both compliance and IT personnel have a good grasp of everything that is being asked and how it applies to their particular firm. As part of that process, says Wolff, compliance and IT specialists should confirm their mutual understanding of their firm’s risk profile, including risks associated with dealing with third parties in their business processes. Financial firms often hold critical data — particularly customer data — in private clouds hosted by external data storage specialists.
That kind of analysis is no simple task. Technology directors don’t report directly to compliance directors, so they might not take kindly to taking orders from their peers. But they will take direction from C-level executives. “It might be far more productive if the tone is set from the top, particularly if the compliance and IT units haven’t worked closely together in the past,” recommends Moscony. “Senior management must make it clear that there is an expectation that IT cooperate with compliance and respond in a timely fashion and adequately to compliance requests for information.”
Material Breaches
One of those requests is already causing angst for some fund managers and broker-dealers: reporting of past cybersecurity events. “We don’t know what the SEC will consider material,” a compliance director of a US fund management firm tells FinOps. “It’s pretty subjective and honesty may not be the best policy.” The reason: it could unintentionally elicit even more questions and a full-blown exam.
The SEC’s questions appear to be crafted to limit responsive information to significant cyber breaches, and they should be reviewed carefully with legal counsel, cautions Wolff. The questions also appear to be seeking information on whether non-binding disclosure guidance issued by the SEC’s Division of Corporation Finance in 2011 requires revision. The SEC itself has not taken a public stance on the division’s recommendations for what public companies should disclose of their cybersecurity risks and incidents, and so far no consensus has emerged.
Can the fund managers and broker-dealers included in this sweep rise to the new challenge? Given the highly publicized losses to hackers and scams, it seems likely that most firms have at least some basic cybersecurity efforts already underway. With the SEC, FINRA and CFTC announcing their intentions to dig into their cybersecurity preparedness, it looks like the right time for firms to consider whether what they’re doing is enough.
Leave a Comment
You must be logged in to post a comment.