What You Need to Know from OCIE’s 2020 Cybersecurity Observations

What You Need to Know from OCIE’s 2020 Cybersecurity Observations

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on print

On January 27, 2020, the Securities and Exchange Commission’s (SEC) Office of Inspections and Examination (OCIE) released its Cybersecurity and Resiliency Observations for 2020 (the Release). The observations are designed to assist market participants in managing and combatting cybersecurity risk and the maintenance and enhancement of operational resiliency.

  • Governance and Risk Management: As with the exam program generally, OCIE looks for a “tone at the top” when it comes to executing a firm’s compliance program. In particular, senior leaders should clearly communicate the organization’s commitment to a tailored policies and procedures, a robust assessment of the firm’s cybersecurity risks, and continual monitoring of the program so that it quickly adapts to changes in risk.
  • Access Rights and Controls: From the beginning of its cybersecurity sweeps, OCIE has focused on access restrictions (i.e., limiting certain data to authorized users and better protecting against the improper use of client information). The Release emphasized that firms should be intentional when organizing and chronicling system data so that the system has fewer vulnerabilities. OCIE noted that effective programs include procedures to: manage user access through systems and procedures, enable multi-factor authentication and address access rights of individuals who leave the firm.
  • Data Loss Prevention: Procedures should be sufficient to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. Firms that effectively prevented data loss routinely scanned for vulnerabilities in their software, hardware and web-based applications, including those of their third-party providers. These organizations also employed perimeter security measures capable of inspecting and preventing harmful traffic and detecting threats on system end points. Finally, firms should inventory their hardware and software assets, routinely patch and update software and oversee the proper disposal of legacy systems and equipment.
  • Mobile Security: Mobile devices and applications present unique vulnerabilities due to because they are in transit. OCIE observed that firms can install applications on these devices that will automate the routine monitoring of email communication, calendars, data storage and other activities. A key component in implementing effective security protocols includes training employees on prudent usage of mobile devices.
  • Incident Response and Resiliency: Firms should develop an incident response plan that enables swift detection and handling of a wide range of cyber threats. Once an incident occurs, the plan should outline the steps for a quick recovery so that the firm can continue safely serving its clients. OCIE highlighted the fact that other state and federal laws may apply to cybersecurity incidents. Accordingly, firms should consider the circumstances in which an incident warrants contacting employees, clients and/or third parties, such as criminal authorities and regulators.
  • Vendor Management: Third-party vendors may pose risks with respect to client data. OCIE noted that effective vendor management includes implementing initial screenings and safeguards, establishing vendor termination procedures, understanding and avoiding the risk posed by a vendor’s contract terms, and continuous monitoring of all third-party vendors.
  • Training and Awareness: Further to a “tone at the top,” firms should to embed cybersecurity as a cultural norm that guides firm behavior. In addition, regular, formal training informs employees about the risks and responsibilities associated with cyber threats. OCIE observed that effective training programs include the use of examples and exercises that mimic the threats that the firm needs to prevent.

It is important to remember that these are general observations for the SEC as an agency. As you review the observations, compare them to your firm’s own policies and procedures and consider whether you may need to reassess certain policies and procedures moving forward. As always, the Greyline team is happy to assist you with these inquiries.

Please find the full Cybersecurity and Resiliency Observations here.


Related Posts

Get our latest insights and updates:

JP Gonzalez

JP Gonzalez is a Partner at Greyline and heads the company’s technology and sales initiatives globally. He is also a member of gVue’s steering committee. Prior to joining Greyline, JP spent six years designing and evangelizing Compliance Regulatory Technology for broker-dealers, investment advisors and fund managers, where he assisted clients with all aspects of complying with FINRA, SEC and state rules and regulations related to a firm’s code of ethics. His technology background includes five years as a software developer and program manager at Microsoft, with his last two years at Microsoft as the UX/UI usability and accessibility program manager for Internet Explorer. He has a B.S. in Computer Science from Rose-Hulman Institute of Technology.

Nick Thomas

Nick Thomas is a Partner at Greyline and oversees the London office, which provides compliance support to U.K.-based hedge funds, private equity firms and other alternative asset managers. Prior to joining Greyline, Nick spent 13 years at the Financial Conduct Authority, the U.K. regulator, followed by three years at a well-known international compliance consultancy. During this time, he gained a broad and deep understanding of the U.K. regulatory environment applicable to alternative asset managers – both from the perspective of the regulator and the firms being regulated. His time at the FCA included working as a supervisor on the alternative investments team, with responsibility for supervising some of the largest and most prominent hedge funds in the U.K., and undertaking firm examinations across a broader population of alternative asset managers. Prior to this, he worked extensively on AIFMD implementation from the FCA’s perspective, as well as assessing applications from investment firms seeking to obtain FCA authorization. Nick obtained a BSc in Mathematics from Imperial College London. In addition, he holds the Investment Management Certificate (IMC), the Fundamentals of Alternative Investments Certificate and the Financial Planning Certificate (FPC). He also speaks Japanese.

Tim Goodwin

Tim Goodwin is a Partner at Greyline and the head of the Fort Worth office. Prior to joining Greyline, Tim spent two years providing ongoing compliance and consulting services to alternative asset managers, including private equity funds, venture capital funds, real estate funds and hedge funds. He worked at TPG Capital for seven years in compliance and internal audit positions. As a director in the risk management and internal audit department, Tim was responsible for documenting and testing TPG’s allocation of fees and expenses, as well as preparing the firm for possible public listing, by leading TPG’s efforts in Sarbanes Oxley testing and compliance. Before joining the internal audit team, he spent five years running TPG’s compliance testing efforts across all of TPG’s businesses, including the private equity funds, credit platform, hedge funds, a 40 Act fund and a registered broker dealer. Prior to joining TPG Capital and moving to Texas, Tim spent more than six years with UBS Wealth Management (New York and New Jersey) in various compliance roles, touching on investment company, investment adviser and broker dealer compliance. He was most recently the chief compliance officer to UBS’s unit investment trusts and a compliance director for advisory products, including the separately managed account, financial advisor discretionary and mutual fund wrap programs. He assisted UBS in its first ever required annual reviews conducted pursuant to the compliance program rule, helped design and implement compliance policies and procedures for UBS’s advisory programs, and routinely assisted in updating required disclosure documents, including the Form ADV.

Jennifer Dickinson

Jennifer Dickinson is a Partner at Greyline and heads the firm’s Chicago office, as well as its CFTC/NFA practice. Her clients include private fund managers (hedge, private equity, venture capital and real estate), traditional RIAs, CPOs, CTAs and Swap Dealers. Jennifer advises on a range of compliance matters, including code of ethics/insider trading issues, risk management, compliance training, conflicts of interest and regulatory examinations. Prior to joining Greyline, Jennifer was the managing director of Sansome Strategies, a boutique compliance consulting firm specializing in alternative asset managers. Her other consulting experience includes serving as chief compliance officer for three prominent, SEC-registered investment advisers. Jennifer has also worked at noted law firms in the financial services space, including Cole-Frieman & Mallon LLP and Pillsbury Winthrop Shaw Pittman LLP. Jennifer began her career as the legal and compliance administrator at Standard Pacific Capital LLC, a SEC-registered, multi-strategy hedge fund manager based in San Francisco. Jennifer has an undergraduate degree from DePauw University and a law degree from Golden Gate University School of Law, where she was the editor–in–chief of the Law Review.

Sean Wilke

Partner & Head of Strategic Growth
Sean Wilke is a Partner, and the Head of Strategic Growth at Greyline and its affiliate GCM Advisory, which specialize in compliance consulting and outsourced finance, accounting and operations. He has extensive experience advising various types of investment managers, including hedge funds, private equity/credit funds, wealth managers, registered investment companies, institutional allocators and family offices, on a range of regulatory, compliance, operational and management matters. Before joining Greyline, Sean was a director within the governance, risk, investigations and disputes group at Duff & Phelps, where he focused on compliance and regulatory consulting for the alternative investment space. Prior to that, he was the general counsel and chief compliance officer of Bramshill Investments, a $4 billion, multi-strategy investment manager, where he oversaw all legal and compliance affairs. Sean also spent four years as a corporate and securities attorney at a law firm, as well as three years as a compliance associate at Bear Stearns & Co., where he performed surveillance for the investment and merchant banking groups. Sean has a B.A. in Political Science from Rutgers University and a J.D. from New York Law School.

Kathy Malone

Partner & Head of Consulting
Kathy Malone is a Partner at Greyline and co-head of the firm’s New York office. Before joining Greyline, she was an examiner with the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations in the Boston and New York offices, where she participated in numerous investment adviser and broker-dealer examinations. Prior to her time with the SEC, she was an examiner with FINRA, completing many examinations of broker-dealers and enforcement referrals. Most recently, Kathy worked for a consulting firm where she assisted broker-dealers, investment advisers and investment companies with the registration process, examination support and ongoing compliance needs. She has a B.S. in Finance from Villanova University and a Juris Doctor from Seton Hall Law.

Talia Brandt

Partner & Chief Operating Officer
Talia Brandt is a Partner at Greyline, and a member of gVue’s steering committee. Her team from Vista Compliance, LLC joined Greyline in May 2017. Talia founded Vista Compliance — a compliance consulting firm servicing broker-dealers, registered investment advisors and private fund managers — in April 2008. In her role with Greyline, Talia works closely with firms to ensure compliance with FINRA, state and SEC regulations. She has developed and implemented compliance and financial policies and procedures to ensure solid internal controls are in place for varying financial services firms. In addition to her compliance consulting work, Talia has served internally to firms as chief compliance officer and holds FINRA Series 7, 24, 66 and 79 registrations. Prior to forming Vista Compliance, Talia worked at Goldman Sachs in the investment management division in Salt Lake City. She then moved to the Bay area, where she went to work with smaller startup, boutique financial services firms.

Matt Okolita

Managing Partner

Matt Okolita is Managing Partner of Greyline, and a member of gVue’s steering committee. He has extensive SEC, FINRA and CFTC experience, having worked for and with premier hedge funds, private equity and venture capital firms, CLO and other debt managers, business development companies and mutual fund managers in both legal and compliance roles. Matt’s background includes undertaking a variety of legal and compliance functions, serving as counsel and chief compliance officer for startup managers, as well as international asset managers managing more than $30 billion. Matt has a Bachelor of Arts in Political Science and Economics from Bucknell University and a Juris Doctor from Suffolk University Law School, with distinction in Business Law and Financial Services.