On February 3, the Securities and Exchange Commission (SEC) issued a Risk Alert prepared by its Office of Compliance Inspections and Examinations (OCIE) that summarizes the results of a sweep of more than 100 broker-dealers and investment advisers that OCIE undertook in 2014 in order to assess the level of cybersecurity preparedness of the examined firms. A list of questions that OCIE considered in conducting the cybersecurity sweep is contained in an April 15, 2014 alert on OCIE’s Cybersecurity Initiative.
The exams targeted a cross-section of firms that varied by the amount of assets under management, type of client and affiliation in order to provide OCIE with representative information on the preparedness of the financial services industry. Most of the examined firms reported that they have been subject to cyber-related incidents directly or through one or more vendors, with most incidents related to malware or fraudulent e-mails.
The OCIE report on its cybersecurity exams focused on several critical areas, including:
- Identification of cybersecurity risks. Many firms reported undertaking risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences.
- Fewer firms require vendors with access to the firms’ networks to perform cybersecurity risk assessments.
- Written information security policies. Many firms are using external standards, such as those published by the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO), to model their information security architecture and written policies.
- The majority of written business continuity plans address how to mitigate the effects of a cybersecurity incident and/or outline an incident recovery plan.
- Most written policies and procedures do not address how a firm will determine whether it is responsible for client losses associated with cyber incidents.
- Protecting networks and information. While the OCIE exams did not review the technical sufficiency of firms’ cybersecurity programs, the Risk Alert noted that many firms have identified best practices through information-sharing networks with industry groups and associations.
- Most firms reported that they have inventoried, cataloged or mapped their technology devices, systems and resources.
- Almost all firms use encryption in some form.
- Many firms provide their clients with suggestions for protecting their sensitive information.
- Some firms have an individual designated as a chief information security officer or have assigned such responsibilities to another senior officer, such as the chief compliance officer or the chief executive officer.
- Cybersecurity risk policies relating to vendors and other business partnersvaried.
- Most broker-dealers, but few advisers, incorporate requirements relating to cybersecurity risk into their contracts with vendors and business partners.
- Fewer firms maintain policies and procedures relating to information security training for vendors and business partners authorized to access their networks.
- Cyber Insurance. More than half of the broker-dealer firms, but only 21% of the investment advisers examined, maintain insurance to cover losses and expenses related to cybersecurity incidents.
OCIE made clear that it is still reviewing the information collected during the sweep exams and did not indicate whether any of the examined firms will be referred to enforcement or be subject to additional exams. Consistent with its 2015 exam priorities, OCIE indicated that it will continue to focus on cybersecurity in its risk-based examinations. Finally, the Risk Alert urged the public to report to the SEC any activities that they suspect may violate the federal securities laws.