At a Schwab IMPACT conference panel on SEC cybersecurity audits, two panelists, Trevor Hicks, Director of Technology of Wetherby Asset Management and Robert Ross, Chief Compliance Officer of Sontag Advisory, shared their perspectives as a result of undergoing an SEC Cybersecurity Audit. A third panelist, Michelle Jacko, Founder and CEO of Core Compliance & Legal Services, Inc., shared her experience from advising advisors on cybersecurity audits.
Here are a few key takeaways — presented in Q&A format — from the Schwab Impact panel, “Are You Ready for Your Cyber Exam?”
Q: If a firm recently experienced a books and records audit by the SEC, how likely are they also get a Cybersecurity Audit?
A: An SEC Cybersecurity Audit is unrelated to other SEC audits. So yes, it’s very feasible that a firm could have the SEC Books and Records Audit or a "sweep" audit, then mere months, weeks or even days later, be contacted by the SEC for a Cybersecurity Audit.
Q: How is the Cybersecurity Audit experience different than other SEC audits?
A: Hicks and Ross both commented that the Cybersecurity auditors were very knowledgeable and tech savvy. The auditors understood hardware and software products well. This is a big change from RIAs’ typical lament that SEC auditors don’t understand their business.
Q: What did the "exam" focus on?
A: Key topics were:
- Due diligence of third parties (e.g., vendors and other service providers)
- The advisory firm’s written risk assessment and what they are doing risks they identified
- The process the staff uses to escalate a perceived security problem/incident
- The establishment of an incident response team
- Employee/User awareness training
Q: How long is a Cybersecurity Audit?
A: Hicks stated that six examiners were onsite for one day, while Ross said their firm’s audit was 6 days conducted by one cybersecurity auditor and two SEC auditors.
Q: What types of questions should I expect from the Cybersecurity Audit?
A: According to the panelists, the vast majority of questions were IT related — network architecture and security protocols, for example. This means it will be important for your system administrator or IT provider to be on-hand to answer questions and to have your compliance officer present to provide any interpretation and clarification as needed.
The SEC requires documentation, not just verbal responses from the IT provider, to support technology claims in this exam. For example, you may be asked to provide a diagram of your network architecture. In fact, Hicks stated that 37 questions from their cyber exam required documentation.
Q: If we're a small firm; won’t auditors take that into consideration during the exam?
A: The short answer: No. While you are expected to do what’s reasonable, small firms are held to the same standards as larger practices. There is no “break” for small firms.
Compliance panelist Jacko mentioned that auditors are no longer just looking for an implementation plan. Auditors are much less forgiving of firms that don’t have their cybersecurity policies and processes in place. In fact, in another panel on which Jacko participated, she shared the story of an investment advisory firm that was cited by the SEC and fined $75,000 for “failing to adopt any written policies and procedures to ensure the security and confidentiality of Personally Identifiable Information (PII) and protect it from anticipated threats or unauthorized access.”
Q: How long does it take to prepare for an SEC Cybersecurity Audit?
A: Hicks said they worked on cybersecurity over a two-year time span prior to receiving their audit notification. Hicks commented he took a risk-based approach, first focusing on what would be the easiest way to address the greatest risk. Ross said they prepped diligently for a year prior to their audit notification. Specifically, they met with their IT provider biweekly and set goals to achieve every two weeks to address all of the 120 items outlined by the SEC. Another key takeway from the panel, is to start preparing a lot sooner, especially with employee training.
Q: If we don’t have a lot of resources, what type of post-exam guidance does the SEC provide?
A: The panelists indicate the SEC does not provide any firm-specific guidance. The SEC only sends a final write up which does not include recommendations. The SEC provides general guidance here. Schwab also has valuable cybersecurity resources online (note: to gain access requires Schwab log in credentials).
Get started now. Begin with employee training and consider the resources and/or approaches described. Schwab offers a risk assessment tool in their cybersecurity resource center which, as Hicks mentioned in the approach he took with his firm, helps you identify the areas of greatest risk to tackle first.
You may also be interested in our post, "How to Start a Cybersecurity Program (Or Convince Your Boss to)."