How to Make Sure You Are Secure & Compliant (SEC Guidance Using Technology)

The Securities and Exchange Commission (SEC) continually propose stricter rules for regulated entities such as Registered Investment Advisers (RIAs) and other funds.

These rules aim to enhance cybersecurity and ensure compliance with best practices.

If you are a registered adviser, it’s crucial to align your cybersecurity framework with these guidelines to protect sensitive data and maintain client trust. Here are the key areas to implement in your RIA firm.

Conduct Regular Risk Assessments

Conduct regular risk assessments to identify vulnerabilities, maintain program effectiveness and ensuring compliance with SEC rules.

During these assessments, firms should evaluate their existing policies, identify vulnerabilities, and document findings. By regularly assessing the firm’s cybersecurity readiness, you can maintain an effective security posture and remain compliant with the SEC’s requirements.

Establish Comprehensive Cybersecurity Policies

Creating and maintaining written cybersecurity policies is the foundation for compliance.

RIAs and regulated firms must draft policies covering various aspects, including risk assessments, data protection, threat detection, access controls, and incident response. Regular reviews and updates of these policies are essential to ensure they remain effective against evolving threats.

Additionally, it’s advisable to document these policies thoroughly, as they may be reviewed by the SEC during audits or investigations.

Strengthen Oversight and Accountability

The SEC’s proposed rules emphasize the role of boards, committees, or senior management in overseeing cybersecurity efforts. They are responsible for approving cybersecurity policies, reviewing assessment reports, and monitoring third-party vendors.

Such oversight helps integrate cybersecurity into the firm’s overall governance and ensures that security measures align with broader business objectives.

Monitor and Archive Communications

For RIAs, the SEC also mandates monitoring and archiving of all communications, including emails, text messages, and encrypted messaging apps like WhatsApp. Failure to preserve these communications can result in substantial fines.

To avoid this, firms should implement robust systems for capturing and storing all relevant communications, ensuring transparency and compliance.

Disclose and Report Cybersecurity Incidents

To ensure transparency and build trust, the SEC requires firms to both disclose and report significant cybersecurity risks and incidents. Disclosure in regulatory filings keeps clients and investors informed of potential vulnerabilities or breaches.

Additionally, proposed guidelines suggest that firms must report major incidents to the SEC within 48 hours.

Respond to Investor Due Diligence Questionnaires (DDQs) Effectively

Although not explicitly required by the SEC, potential and current investors often request Due Diligence Questionnaires (DDQs) to gain insight into a firm’s operations – including about information technology and cybersecurity governance and cybersecurity practices.

When preparing these documents, it’s essential to be accurate while presenting a positive narrative of your operations. Highlight strengths in your cybersecurity framework, policies, and risk management, but ensure all information is accurate and aligns with how your company genuinely operates.

At Coffer Group, we do this for you. We will enhance your existing compliance program, develop and execute your technical-cybersecurity governance process, and even complete your DDQ for investors.

Learn more about how Coffer Group can guide you in this by clicking here.