The U.S. Security and Exchange Commission’s (SEC) Office of Compliance Inspectors and Examinations (OCIE) issued a Risk Alert on COVID-19 related risks on August 12th, 2020. Of note, the alert highlighted the following two critical areas related to cybersecurity compliance:
- Business Continuity Planning (BCP) practices
- Protection of investors’ data and other sensitive information
Based on the post-COVID proliferation of system compromises and industry provider data breaches in the asset management industry, this is not surprising. Our primary take-aways are as follows:
- Many of the BCPs that we encounter are perfunctory documents with little or no actionable steps to address the new world or remote operations. These plans still rely on a tradition office environment and assume a rapid return to normal. The component of a long-term remote workforce is not addressed. Consequently, the threats and related vulnerabilities associated with the remoate workforce are not mitigated (or anticipated) until a malicious event transpires.
- Related to the above bullet, we continue to see 1st party and 3rd data breaches – with Subscription Documents being the “Holy Grail” for criminals who target the asset management industry. Every data protection program should start with an actionable Personally Identifiable Information (PII) policy that focuses myopically on the protection of subscription documentation – whether regardless of whether this data is maintained by the manager and/or it’s critical 3rd Party Vendors (e.g., Fund Admins, Legal Counsel, etc.).
Contact our team for more information.