The Securities and Exchange Commission (SEC) gave asset managers a holiday gift late last year with the announcement of the 2019 exam priorities for the Office of Compliance Inspections and Examinations (OCIE).
The SEC releases the OCIE exam priorities each year to give proactive asset managers the chance to review their practices and records in case they are selected for an exam. Like an IRS audit, selection for an OCIE exam is random, so an asset manager tested last year faces the same odds this year as a manager who has never been selected. Failing an exam could mean not only paying a fine but also suffering significant reputational damage in the marketplace.
What’s most interesting about this year’s priorities is their emphasis. Once again, the OCIE test will prioritize cybersecurity and digital asset management. This concern with cybersecurity, which also appeared on last year’s exam, signals the SEC’s sustained interest in digital security in this digital age.
But what exactly will OCIE be looking for? The press release linked above doesn’t go into much detail, but the 2019 OCIE exam priorities are available here and mention the following areas of focus for exams:
- Configuration of network storage devices
- Information security governance
- Retail trading information security
- Third-party vendor management
Forward-facing asset managers would be well served to make sure that their houses are in order on these fronts. This is no small task, as firms must manage sometimes-cumbersome legacy systems and constantly mutating threats—not to mention the security practices of their partners. (One recent survey found that just 38 percent of banks and capital markets firms hold their partners to the same cybersecurity standards as their own businesses.)
The latest Accenture research on cyber attacks shows that one in seven data breach attempts targeting banks and capital markets firms are successful—and that 42 percent of successful breaches go undetected for a week or more. Almost 10 percent are undiscovered for over a month. Further, while the rate of successful breaches is dropping, the number of attacks has doubled in the last year. Clearly, asset managers (among other financial services players) need vigilance beyond the strictures of the SEC to safeguard the data of their clients and their own reputations.
Yet I think moving on these priorities alone is an insufficient cybersecurity strategy. The SEC’s advice and areas of focus are sound, but its cybersecurity areas of focus belie the complexities of today’s asset manager operations. The list focuses on repositories data that need to be safeguarded—mainly data at rest. But data moves. Managers should go beyond the list and consider other dimensions of the business that might create additional risk, for example, mergers and acquisitions. The integration approach for an acquired company has important implications for security and risk. The due diligence process should evaluate technical compatibility and the structure of the security organization to identify integration risks. These should be considered in an updated cybersecurity strategy, day one readiness plan and post-merger integration plan.
Where should asset managers get started? Accenture’s research and our experience working with clients suggest the following:
- Recognize that cybersecurity is a process, not an outcome. The need for cybersecurity investment will never go away because the threat of fraud and data risks will never go away. It can pay to think long-term.
- Identify breaches quickly. Over 60 percent of firms surveyed in the research linked above took more than 30 days to fix a data breach.
- Get the whole organization involved. No cybersecurity team, however vigilant, can guard against and detect 100 percent of all risks and breach attempts. Make sure everyone in your organization is trained in good digital security protocol and knows how to recognize common breach techniques.
- Focus on the right metrics. Smart cybersecurity metrics are internally focused—your team doesn’t control the number of breach attempts it will face, after all. Powerful measurements could include number of successful breaches, duration of service loss and response time.
- See past perimeter controls. Our research shows that many firms have over-invested in their “digital fences,” perhaps out of hope it will offset security weakness elsewhere. The trouble is that even the best perimeter controls are still porous, plus, most breaches have an internal nexus.
If you’d like to talk through how these principles could look when applied to your business, I’d love to hear from you. Contact me directly at firstname.lastname@example.org.