This is part of our blog series on the SEC's Proposed Cybersecurity Rule for RIAs, titled "Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies"

You can download our ebook on the rule at https://ria.tips/ebook.

Your entire cybersecurity program will flow out of what your risk assessment turned up, but there are broad outlines of what it should look like, according to the SEC.

A quick note: the SEC does not use industry-standard categories here, which may lead to guidance that appears conflicting. You should expect that most cybersecurity plans are laid out differently than the what the SEC outlines (below) but the same set of controls should exist in both.

User Security Controls

User security controls are the controls you put in place to prevent unauthorized access to information through users, as opposed to direct access to the systems. If you think of a bank vault, the user controls would cover who has physical access to the vault and knows the combination, which is different than the strength of the vault itself.

Policies

The controls need to cover the administrative and the digital. For instance, the SEC specifically calls out acceptable use policies (AUPs) which set out the standards of behavior for users. Other policies might include:

  • Bring your own device (BYOD) policies
  • Password policies
  • Work from home policies
  • Remote access policies
  • Confidentiality policies
  • Security awareness policies
  • Removeable media policies
  • Email policies
  • Mobile device policies
  • ...and more

Of course, you will probably combine most or all of these into a single document. Some firms may choose to put them into their employee handbook or code of ethics.

Identity & Access Management

These are the digital controls that authenticate a person, like usernames and passwords, multifactor authentication, biometrics and other methods for verifying that somebody is who they say they are. You may use a single sign on (SSO) provider such as JumpCloud, or Micrsoft Entra (fka Azure) SSO services.

Many IAM platforms will allow for easy log monitoring, alerting, and auditing. For instance, alerting when someone is locked out of their account, which may indicate an attempted intrusion (or fat fingers).

Credential Standard Operating Procedures

This is where you set up your procedures for handing out credentials, replacing them, revoking them, and removing them after a user has left. Many of these are easy to think of, you should have an SOP for when a new employee comes on board, or when a user is terminated.

Less common -- but just as important -- are procedures for revoking credentials when someone changes roles. For example, if an employee moves from customer service to marketing or trade strategies then credentials to customer service systems should be revoked, unless they are still required for them to do their job.

SOPs for working with external entities or contractors is often overlooked. For instance, if you share company data externally during a project what is your SOP for removing credentials from those outside entities when the project is over? If you needed to share a password, when will you change it so the shared version is no longer valid?

 

Principle of Least Privilege (The Need to Know Principle)

Simply put: don't give people access to more information, data or systems then they need access to. In some systems this is straightforward, in others it can be complicated. For instance, many systems allow you to assign different roles to users such as administrator, manager, reviewer, user, guest, etc.

More granular permissions may make the most sense: if you have advisors that have specific sets of clients, each advisor may need the same level of access to the system, but only be allowed to see data on their clients.

While not complicated to understand and set up, it is often difficult to keep up with changes, so regular audits are a must. For example, you may choose to audit who has access (and what level of access) to a document management system on an annual basis but choose to audit who has access to your custodian on a quarterly basis.

The SEC puts it as:

Effective controls would also generally include user security and access measures that are regularly monitored not only to provide access to authorized users, but also to remove access for users that are no longer authorized, whether due to removal from a project or termination of employment.

You may choose to audit what data is in your systems on a periodic basis: company shared folders and drives are littered with information that isn't appropriate for everyone in the firm, or is data the firm no longer ought to have on file.

 

Secure Remote Access

This is another area where the SEC definitions become very broad.

Advisers and funds generally should implement detection security capabilities that can identify threats on a network’s endpoints. For example, they may utilize software that monitors and inspects all files on an endpoint, such as a mobile phone or remote laptop, and identifies and blocks incoming unauthorized communications...

...firms should consider having policies and procedures for using any mobile or other devices approved for remote access, and implementing security measures and training on device policies and effective security practices.

This is where you implement tools such as:

  • Antivirus
  • Endpoint detection and response (EDR)
  • Mobile device management (MDM)
  • VPNs
  • SASE
  • Device level firewalls
  • Geo-filtering

This may require a thoughtful approach, how do you handle policies and corresponding technical controls for working from home, or Starbucks, or an airplane during flight? How do you secure your device if you don't trust the network (such as in-flight wifi)? How do you secure the connection so no one can eavesdrop? What systems will you allow to be accessed remotely versus only on-site?