On March 3, 2021, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced its 2021 Exam Priorities—the first such missive in the pandemic era. The Commission’s ability to be flexible and nimble in its approach to 2020 exams and plans for this year are laudable. To bolster that effectiveness, the recently created Event and Emerging Risk Examination Team will improve and expand OCIE’s rapid response capabilities. (I wrote more about the EERT here). Based on this year’s priorities, OCIE and EERT will be very busy in 2021.
Most notable on the list of exam priorities is a section nestled in the Information Security and Operational Resiliency regarding remote work. Over the last several years, information security has been a key area of concern for OCIE, having appeared as an exam priority multiple times. So, it is no surprise that the more nuanced information security risks related to remote work are being covered as virtual work and exams continue persist during the pandemic. Of these more specific security practices, OCIE noted “[o]ver the past year, the increase in remote operations in response to the pandemic has increased concerns about, among other things, endpoint security, data loss, remote access, use of third-party communication systems, and vendor management.” Each of these areas, then, are ripe for further testing and evaluation in 2021.
By now, firms have largely transitioned to geographically dispersed work arrangements, leveraging business continuity plans and new technologies to support their transformation. The adoption of a “work from anywhere” business environment is being driven by the increased use of what the SEC deems “third-party communication systems” in the form of collaboration and chat platforms like Zoom, Microsoft Teams, Webex, Slack, and more. And, given SEC and FINRA rules mandating the capture, retention and supervision of communications on collaboration and chat applications, OCIE’s emphasis is on these risks is prescient. The dynamic communication features of collaboration tools like screen shares, whiteboards, webcams, and file transfers pose unique regulatory and compliance challenges to firms.
OCIE provides more granular color on the issues it will delve into during 2021 exams, including “controls surrounding online and mobile application access to investor account information, the controls surrounding the electronic storage of books and records and personally identifiable information maintained with third-party cloud service providers, and firms’ policies and procedures to protect investor records and information.” Since collaboration and chat tools make it easy to share investor, customer, and employee PII in documents, links, and information from across internal and external systems, firms must deploy technical controls to monitor and identify data sharing.
At Theta Lake, we’re focused on building a modern supervision platform to facilitate compliance with relevant SEC Rules like Reg S-ID, Reg S-P, and 17a-4 that are likely to arise during the 2021 exam cycle. The Theta Lake Security and Compliance Suite facilitates supervision of communications with its AI-enabled detections that scan everything that was shown, spoken, or shared during a conversation.
In the collaboration context, Theta Lake facilitates oversight by detecting the display or discussion of PII like email, birthdate, account number, and Social Security Number as well as conversations about sensitive information or the sharing of URLs to file sharing or social media sites, providing firms full transparency into how this data is shared. Theta Lake also identifies potential regulatory issues such as discussions or sharing of Form CRS, promissory statements included in investment discussions, as well as conversations that may be indicative or complaints, collusion, or personal self-promotion.
Theta Lake applies the same discipline to dynamic chat conversations from platforms like Slack and Microsoft Teams where the need to analyze and identify risks in emojis, reactions, and animated gifs is crucial.
Following reviews of this content for regulatory, privacy, or security risks, Theta Lake offers 17a-4-compliant storage where firms can define multiple retention periods for their data. Additionally, when the time comes to search communications for production to the SEC, Theta Lake facilitates queries across the visual, audio, and text components of all communications, returning results like offering documents shown over web cams, SSNs displayed over screen shares, or links to Dropbox in a chat.
OCIE’s focus on information security and communications systems means that firms must have a compliance strategy for oversight that accounts for the nuances of the diverse set of functionalities of these platforms. Theta Lake can facilitate an end-to-end compliance framework for collaboration and chat platforms—full capture, supervision, archiving, and search—to manage the SEC’s expectations for 2021 examinations and beyond.
To read more about how Theta Lake can help your company achieve security and compliance for its Zoom, Webex, Microsoft Teams, RingCentral, [insert your platform here], visit our website here.