The SEC’s examinations concentrate on 6 audit items;
1. Governance and Risk Assessment – Oversight of client data that is specific to a firm’s organization and business model and not just an off-the-shelf solution. Since every firm is different, the SEC likes to see firm specific procedures for the firm’s data security practices.
2. Access Rights and Controls – How is the firm controlling application users and their levels of permission to access client data. For example, should the unregistered receptionist have access to the Order Management System? (The answer is no).
3. Data Loss Prevention (DLP) – DLP consists of best practices and security tools which reduce the leaking of client data outside an organization’s control. Sending a client account number over non-secure communication like personal email accounts would be considered a high-risk item in a DLP Audit. Enterprise grade DLP systems react to these messages in real-time and prevent restricted data from leaving the firm’s environment by blocking delivery of the data.
4. Vendor Management – An organization’s cloud application provider(s) should understand and manage security but the advisory firm is required to review and validate these provider’s disaster recovery plan (DRP), encryption standards, and information security policies. InvestCloud’s Chief Architect, Vincent Sos, is a specialist in cloud security and offers advice to RIAs when engaging cloud solution providers; “Ensure that your cloud vendors have regular security tests and can provide you with the results. For key vendors you may want to engage your own security specialists to verify or even “ethically hack” your cloud vendor’s solution. Your cloud vendor should always be open to assist you in that exercise.”
5. Training – A firm is required to have a program that trains employees to identify threats and protect client information.
6. Incident Response – There are many types of security incidents that all require a specific set of employee roles and responsibilities. A firm needs to have a plan for who is doing what if there is a breach or loss of client data?