Commentary & Analysis

helps financial firms meet and exceed the OCIE observations and requirements.

OCIE has highlighted information security as a key risk for security market participants, and has included it as a key element in its examination program over the past eight years.

This recap assumes familiarity with the OCIE and their cybersecurity observations.

Monarch views the OCIE observations as a minimum set of controls for an effective cybersecurity program.

OCIE will continue to conduct risk-based examinations of RIAs that have never been examined, including new RIAs and RIAs registered for several years that have yet to be examined.



For 2020, OCIE has outlined 7 key areas for a cybersecurity program.  OCIE gives a high level overview of each area but does not prescribe actions to take.  Many firms will follow NIST or ISO controls, but each firm needs a framework that fits their business.  These are key areas to have foundational security, but firms may need to go above this threshold depending on their threat model, data, regulations, and privacy obligations.


OCIE 7 Key Areas

  • Governance & Risk Management
  • Access Rights & Controls
  • Data Loss Prevention
  • Mobile Security
  • Incident Response & Resiliency
  • Vendor Management
  • Training & Awareness

Focus on these observations after implementing the 7 key areas. Ensure your cybersecurity program is documented.

0 1

Policies and procedures need to reflect the Firm's actual practices.


Policies and procedures need to be reasonably tailored to provide employees with guidance and include examples of procedures to follow during a cyber event.

Firms must consider their business model to conduct risk assessments that identify, manage, and mitigate cyber risks. 


Governance & Risk Management

  • Senior Level Engagement
  • Risk Assessment
  • Policies and Procedures
  • Testing and Monitoring
  • Continuous Evaluation
  • Communication


Cybersecurity must be continuous.


Firms need to continuously monitor and assess cyber risk.  Stale risk assessments can provide a false sense of security and lead mitigation efforts down wrong paths.

Cybersecurity monitoring should also extend to your firm’s service providers.



  • Develop reporting metrics to monitor cyber risks.
  • Implement continuous Vulnerability and Patch management.
  • Prioritize vulnerabilities and risks in context of your business and threat model. 
  • Include a failure/breach of your third party vendors in your business continuity plan.


Do the right things at the right time.


OCIE Risk Alerts provide timely information on cyber risks that affect financial firms.

For 2020, OCIE released the following risk alerts:

  • Ransomware
  • Select COVID-19 Compliance Risks and Considerations
  • Safeguarding Client Accounts against Credential Compromise
  • OCIE Observations: Investment Adviser Compliance Programs


  • Monitor cybersecurity alerts published by the Department of Homeland Security and CISA.
  • Share the alerts with your firm’s third party service providers.
  • Assess, test, and periodically update incident response and resiliency policies and procedures, such as contingency and disaster recovery plans.
  • Implement perimeter security capabilities that are able to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized
    or harmful traffic.
  • Conduct heightened reviews of personnel access rights and controls as individuals take on new or expanded roles in order to maintain business operations. 
  • Successful attacks occur more often when individuals use the same password or minor variations of the same password for various online accounts, and individuals use login usernames that are easily guessed, such as email addresses or full names.


{k:v} actions

OCIE wants to see evidence of continual improvement in your firm’s cybersecurity program.  Perfection is not expected, but documenting discovered risks and plans to mitigate them goes a long way to demonstrate the firm’s commitment to cybersecurity.

General cybersecurity controls to protect firm’s and investor PII includes: access rights and controls, data loss prevention, penetration testing and vulnerability scans, vendor management, employee training, and incident response plans.


  • Update your firm’s list of regulatory, legal, and privacy requirements.
  • Evaluate your firm’s current cybersecurity program against the 7 key areas.  Prioritize areas of improvement.
  • Update policies and procedures to reflect what the firm does in practice. 
  • Make procedures clear for staff to follow.
  • Continuously monitor your risk environment along with your third party vendors.

In the area of third-party and vendor risk management, OCIE will also focus on oversight practices related to certain service providers and network solutions, including those leveraging cloud-based storage.

Get Notified.
Stay Informed.

Find out More

Monarch delivers cybersecurity in a new way.  Get information that matters and security that’s effective.

Click below to schedule an introduction call.