Over the past couple of years, the US Securities and Exchange Commission (SEC) has been examining broker-dealer and investment advisor cybersecurity risks and preparedness. In 2016, they advanced their efforts to include testing and assessment of firms’ implementation of cybersecurity procedures and controls as well as evaluating firms’ policies and procedures designed to ensure the capacity, integrity, resiliency, availability and security of their Systems Compliance and Integrity.
This San Francisco Bay Area headquartered financial advisory firm, with 15 offices nationwide, was the first of Xantrion’s clients to be chosen for a 2016 SEC cybersecurity audit. It had just one week to submit all the documentation necessary to demonstrate precisely what it was doing to protect its customers’ sensitive financial information. It also needed to prepare for a subsequent onsite oral examination by SEC representatives.
Xantrion assisted with the technical side of the cybersecurity audit while the advisory firm’s own compliance team focused on more business-specific questions.
Xantrion provided the SEC with all the following documentation:
- Xantrion’s own SOC 2 Type II security certification, which verifies that Xantrion’s hosted servers and applications, internal security, and business continuity processes all comply with current best practices.
- Third-party certified documentation about procedures at the data center where Xantrion hosts the firm’s applications and data.
- Proof that the firm regularly backs up its data, with details about how the backup is made, where it’s stored, and how it’s secured.
- Xantrion’s own internal security policy and cybersecurity breach response plan describing how it protects against, detects, and responds to any attempted attacks on the firm’s hosted environment.
- Policies and procedures around the firm’s IT infrastructure, including the processes for adding new hires to and removing terminated employees from the firm’s systems as well as managing requests for firewall, user permission and other security changes. “We can prove not just that the firm has procedures for these changes, but that they follow these procedures consistently,” the vCIO explains.
- Details of the firm’s IT plan for disaster recovery and business continuity, including highly available offsite systems and backups.
A Xantrion vCIO subsequently sat in with the firm’s director of operations, chief compliance officer, and legal counsel during the SEC’s in-person examination, providing answers to technical questions and elaborating on the documentation as needed.
The SEC didn’t find any deficiencies relative to their cybersecurity guidelines.