Part ll: SEC’s Proposed Cybersecurity Risk Management Rule for Investment Advisors and Funds: How to Comply

Gaini Umarov:

Happy to be here. My name is Gaini Umarov. I'm a senior manager in the IT Risk, Data, Privacy and Security department. I focus on IT governance, risk and compliance. My main focus is public companies, public funds, as well as financial institutions. Me and my team have taken a look at this reg and happy to continue talking into this reg and getting a little deeper into how to implement this.

JR:

And on the first series, obviously with the why and the what. We got into a slight bit of the how. But ultimately when we talk about the four parts, which again, for those who are listening to the first series, and if you missed the first series, it was about policies and procedures, the SEC's breach notification, and disclosures so that's two and three. And then the last part was record keeping. We're going to focus heavily on policies and procedures today because I think that's where everybody's having the biggest challenge. So, we want to start there and start thinking about, we talked about risk assessments in the first series. So Gaini, if we can talk a little bit more about risk assessments, how that flows down to some of the other things that are required under this policy and procedures, and we'll talk even about board oversight. How do you actually implement that? How do you actually get to a good place and good governance structure within the top structure and organization? So, could we talk about risk assessment?

GU:

Well, this risk assessment piece is very important and fits into all the different risks that our organization has. When we talk about the specific regulation, a lot of it is around users and identifying how these users behave. I would say, but further, there are a lot of ways that these risk assessments can go. Some of these are advised to be coupled with some of the more cutting edge or new technologies that we look at or new approaches of how we're doing this. Some of them are prioritizing encryption coupled with intrusion detection systems, which are the foundation for a lot of the cybersecurity initiatives as well as user access recertifications. Roles that these users have is a big focus of both this reg as well as generally for public companies. So non-public companies haven't really had that exposure yet. That's something that'll be new for them to review annually or even more frequently depending on how their environment is set up.

Additionally, rendering sensitive data, keeping that sensitive data closer rather than further somewhere is something that this regulation tries to aim these organizations to do if that's possible, if not, to use additional measures to make sure you're layered in on top of whatever the service provider provides to make it much more harder. Some of our clients, they use some tricks like they do honeypot. They provide a certain area where it seems like a lot of sensitive data is located, which kind of confuses a lot of these incident people who are, a lot of these hackers. They get confused by this because they spend a lot of time around that honeypot, whereas that information is actually not relevant to anything. And while they're doing that, saw these intrusive detection systems as well as security measures, they actually flag them enough time for them to be able to identify who it is and how it's done, as well as not lose any sensitive information. So, there's a lot of different techniques to do that. Apart from that, I think the big piece is incident response. And when you see that and you're able to successfully kind of mitigate those issues, you then have to think about how you're going to respond to them in the future, right? As well as lessons learned. But also, in the moment when that happens.

JR:

And there’s a process for that too, right? So, there's a procedure for response. There's a procedure to incident management. We see a lot of clients taking their business continuity plans and disaster recovery plans and emergency response plans and turning them into an incident response for cybersecurity, which makes sense. I mean, ultimately, you're responding in a similar way. An incident happened. How do we deal with this? The most important thing here to understand is your response is required by the SEC for material incidents, has to be significant to the organization, has to have a significant impact. How you define that is now up to you. So, we advise clients on a lot of different ways to think about it. Tiering the incidents in a procedure so people know not to escalate too soon, but also make sure you escalate. And that's again where the board comes in. So, breach notification is still at the 48-hour mark to the SEC, but that's when you know that there's a significant breach or significant to your organization.

So, you still have that requirement, but the other key factor is going back to how do you actually do this and having a procedure and controls in place that you can actually test on an ongoing basis. So, the annual review that you were just talking about is really important. The annual review of your procedures, your posture, your controls within those different categories, including user access and security around users who have access to sensitive data, threat management, how do you identify? So, think about, identify, protect, and detect. Those controls need to be reviewed regularly, and we're seeing at a minimum on an annual basis, which needs to happen as part of the reg. In a lot of cases, we're seeing it start on a quarterly basis as well. So, you get used to it and then now you're in a rope type of position where you know that this is something that you can continue or almost in the habit of doing it. That's really important. So, that's a big piece of the how is getting into that habit.

GU:

There's another piece to it, which is right now biased to do annually, but could be done more often. Any plan is only as good as you prepare. So, this is a company effort. So, on an annual basis, it is significantly important. On an annual basis, it's important to continuously prepare and get your teams together to enact on this. So, having exercises as well as pre-planned scripts and how will this department act or how will this specific unit behave when something like this occurs is as important as coming up with this part. So, it's only as good as how people are ready to enact on it. And that's another thing that I think it's coming to through this regulation to all these fund managers that you can have documentation that's best place. You want to make sure that it's clear and concise and easy to enact on as well as there's practice exercises where the whole team is ready to be able to respond swiftly. Sometimes a lot of these incident response plans, like you said, for example, business continuity wise, how fast can you cut off one network and start a new one? Or how fast can you migrate your data from data center one to data center two? And how fast can your operations be spun up again without any issues to your specific organization?

JR:

Or disruption.

GU:

Disruption, right? That's the biggest thing. So, that's going to avoid.

JR:

That's what good looks like. So, hopefully those that are listening understand that there is a maturity here that you get good at this by having some sort of a habit of getting into good controls, good governance. And again, that goes back up to the board. So, now boards are being held accountable, executive management team members are being held accountable. So, think about that accountability term as a key consideration for governance and what is good. So, they need to now see what's reported. So, I know we talked about public companies a little bit because this is sort of trickling into the investment advisor world, but ultimately what we're also seeing is that boards now have to have a line of sight, right? They need to get the right reporting, and that goes back into the record keeping. So, what are they seeing? How often do they see it?

So, we're also seeing boards receive at least annually, if not even in the beginning days, quarterly, a report on our cybersecurity posture. So, before you get there, you have to do the risk assessment. You have to see what controls you have; you have to see what gaps you have. Then you could start reporting and trying to figure out if you even go through that tabletop, that exercise for response. And we would recommend that with a lot of our clients. As you're starting that incident response plan, do a tabletop exercise, test it out, make sure you know that people know what to do. Comfortable. Exactly. And especially when it's an emergency response plan. So, we need to get people out of this building. We got to figure out how they do that. So same thing with cybersecurity and incident response. How do they respond to this incident? We feel like we have something here and that's happening all the time, right? Our employees, our clients, they're getting hacked every day. So now it's just a matter of whether it comes to a point where someone actually can do something about it and respond to it. So, it's really important to understand that.

GU:

And then thinking that you won't get hacked or breached is absolutely not the good way of thinking about it. They happen every second, every minute of every second so these incidents, you don't have to look at as if it will never happen to you, but rather if it does, how fast can you respond? How quickly can you recover? And how quickly can you cut off that and identify and then disclose, as well as provide all the relevant information to be able to mitigate all these issues in the future. So, this is imperative.

JR:

This is one that's very important to think about all of that, especially on the priority on making sure some of these things are at the forefront. So, on the how, before we end this series, I want to think about one big question that's asked. How long does it take? I know we have to implement a framework, right? And the NIST Framework is typically the framework that everybody uses when it comes to cybersecurity. How long do you think it takes for someone to start, maybe not from scratch, because obviously larger organizations have already done something here and they're continuing to improve and continuous improvement as part of that maturity. Yes. How long does it take for a smaller fund or an investment advisor to do this? What would you say?

GU:

Typically, when we get engaged with these kinds of organizations and when these kinds of requirements are set up, the designing factor of it probably takes a couple of months. And then getting everybody comfortable within the organization to be in the same mode as what the people who are driving this, it probably takes it three to six months. And within that time period, we help not only identify the design factors and the elements that should go in there, but also, we make sure that everybody's on the same page and why it's out. Because often within the organization, compliance might know why regulatory people actually work with the regulations might know, but the rest of the organization might be a little bit out of the loop. So, getting everyone on the same page and making sure that everybody signs off on it and then all the way up to the board, because ultimately that's what the reg wants, sign off from the board, therefore, making sure that the whole organization is aligned. That takes a little bit more time. So, I think that's another piece that we help significantly in bridging that gap between is this another thing that someone invented or is this something that is really required and we need to do it? So, this is, I think changing the mentality is another piece.

JR:

And I think you're spot on. Ultimately, you're hitting the key points from series one of the video, the why and the what, and now series two: education and awareness. What I've found, and I know you've done hundreds of these engagements with clients, the education and awareness is really, really important. And that actually probably takes the most time, right? You can document things fairly quickly. It's just a matter of you can get people in the organization to actually follow them, understand them, and implement them. So that's really, really important. So, I'm glad you brought that up.

GU:

And the roles and responsibilities. Sometimes it's a little vague, who needs to do what? So, this is where we help to identify clarity. A lot of our clients that we work with, they already have policies and procedures often in a way that's written in very and very much detail. However, the thing that's missing often is who is supposed to do what? What's your role? And when you have to enact, is it after somebody? Is it simultaneously? What are the roles and what are the responsibilities? So, this is where we help to clarify that within these policy and procedures as well as unofficially, everybody has to be comfortable what they're taking on. And these are the elements that SEC wants to make sure that everyone within the organization knows. Great point there.

JR:

So, in conclusion, I hope you found this to be helpful as you navigate through the new cybersecurity rules for investment advisors and fund managers. Clearly the why, the what and the how are really important. Get started early would be our recommendation. Look at your documentation, solicit advice from your advisors, and ultimately, you'll get there if you start early. This is an impending regulation. We see it coming out soon. So obviously the key thing there is making sure that you have the proper processes and accountability in place to get through it.