Cyber security exams are coming for investment advisory firms by late September or soon after, according to the head of the Securities and Exchange Commission’s examinations program for advisors.
Jane Jarcho, speaking Thursday at the commission’s day-long Investment Adviser and Investment Company compliance seminar in Washington, D.C., said that the inquiries could take the form of separate examinations or additional questions in regular exams.
The SEC will ask cyber security questions about advisors’ policies for responding to identity theft, about their plans for business continuation in case of a cyber attack, about the level and impact of prior attacks and about the advisory firms’ policies on IT training, vendor access and vendor due diligence.
Jarcho added that advisors should report material attacks only, not all types of intrusion or attempts at improper access, since there are millions of those and most are minor.
She also said that the SEC will begin a sweep by the end of the year, monitoring advisors for violations of the general solicitation ban on Internet advertising to potential clients. As part of the sweep, the SEC will look at how investment advisors and broker-dealers are implementing the new rules and making sure that the investors being attracted are eligible.
Examiners will further focus on wrap fee programs, she said, looking at inactive accounts for reverse churning, potential conflicts of interest and financial incentives that favor less transaction activity. The examiners will want to know if the wrap fee arrangements contribute significant revenue to advisors who are doing little work on them.