This post continues our discussion of the Risk Alert released on August 7, 2017, by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) regarding conclusions drawn from its yearlong review of the cybersecurity practices of 75 asset management firms and funds.  The sweep, deemed OCIE’s Cybersecurity 2 Initiative, covered broker-dealer, investment adviser, and investment company practices during the period from October 2014 through September 2015. 
Continue Reading SEC Offers More Guidance on Cybersecurity Best Practices and Pitfalls – Part 2 of 2

On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released a Risk Alert summarizing its conclusions from a year-long review of the cybersecurity practices of a 75 firms — including broker-dealers, investment advisers and investment companies.  The sweep, OCIE’s Cybersecurity 2 Initiative, ran from September 2015 to June 2016 and covered the review period from October 2014 through September 2015.  It follows OCIE’s 2014 Cybersecurity 1 Initiative, during which the staff examined a different group of firms from January 2013 to June 2014.  The Risk Alert that followed the first sweep was released in early 2015.

The focus of OCIE’s second sweep was asset management firms’ written cybersecurity policies and procedures and, critically, their implementation. While the Risk Alert acknowledges that cybersecurity preparedness has improved across the industry since the first sweep exam, it emphasizes that significant deficiencies persist.  The Risk Alert identifies common elements of policies and procedures that the staff regards as robust controls.  The Risk Alert also stresses that, going forward, OCIE will increase its review of firms’ implementation of appropriately-tailored policies; merely having well‑drafted  policies “on the books” but not applied will not suffice.
Continue Reading SEC Offers More Guidance on Cybersecurity Best Practices and Pitfalls – Part 1 of 2

The year 2015 is shaping up to have an unusual focus on the center of that string of relationships tracing the path from end-investor to asset class — that is, the nuts and bolts of asset management “operations.”  Click here to read my recent article about key operations-oriented compliance developments for investment advisers in 2015.
Continue Reading Investment Advisers Act Compliance Developments in 2015

The cybersecurity threats faced by mutual fund transfer agents (TAs) and sub-transfer agents (Sub-TAs) are unique because their information technology (IT) networks house a massive amount of personally identifiable information (PII) belonging to the funds they serve (Fund PII).*  In its recent IM Guidance Update on Cybersecurity, the SEC staff stressed boards’ responsibility to oversee the management of “cybersecurity threats and vulnerabilities so as to better prioritize and mitigate cybersecurity risk.” 
Continue Reading Transfer and Sub-Transfer Agent Cybersecurity: Implementing SEC Guidance