The Office of Compliance Inspections and Examinations of the Securities and Exchange Commission issued a report saying that firms have “increased cybersecurity preparedness” since 2014, after reviewing 75 registrants, including broker-dealers, investment advisers and investment companies. However, OCIE also concluded that firms’ cybersecurity policies and procedures are not uniformly tailored to their business because they are too vague or general and are not always followed or enforced. In some cases, such policies and procedures do not reflect actual practices. In addition, OCIE concluded that firms do not appear “adequately” to conduct system maintenance, such as timely installing software patches to address system vulnerabilities to protect customer information. Also, in some cases, firms use outdated operational systems that are no longer supported by security patches or fail to timely fix high-risk issues identified from penetration tests or vulnerability scans. Although OCIE found that most firms had plans for addressing unauthorized access issues, less than two-thirds of all investment advisers and funds had plans for notifying customers in connection with information breaches. As part of its report, OCIE identified certain elements firms should consider including in “robust” cybersecurity policies and procedures including maintenance of a complete inventory of data, information and vendors, including a vulnerability risk assessment; “detailed” cybersecurity instructions (e.g., addressing penetration tests, security monitoring, access rights and breach response; data and system access controls; mandatory employee training; and “engaged” senior management).
Compliance Weeds: The SEC has brought two enforcement actions against registrants for failing to comply with Regulation S-P over the past two years.
(Regulation S-P requires registered broker-dealers, investment advisers and investment companies to adopt written policies to help protect customer records and information. The rule addresses administrative, technical and physical safeguards regarding such information. Click here to access the text of Regulation S-P.)
In one enforcement action, RT Jones Capital Equities Management, Inc., an investment adviser, agreed to pay a fine of US $75,000 to resolve charges by the SEC for not having written cybersecurity policies and procedures to protect customer records and information in advance of a cyber-attack. (Click here to access further details regarding this enforcement action in the article “SEC Sanctions Investment Adviser for Not Implementing Policies and Procedures in Advance of Cyber-Attack” in the September 27, 2015 edition of Bridging the Week.) Moreover, this year, as in 2016, OCIE has indicated that cybersecurity is a priority in its examinations of registrants. (Click here to access OCIE’s examination priories for 2017.)
Separately, effective March 1, 2016, all members of the National Futures Association were required to adopt and enforce written policies and procedures to protect customer data and help prevent unauthorized access to their electronic systems. (Click here for further details on NFA’s requirements in the article “NFA Proposes Cybersecurity Guidance” in the September 13, 2015 edition of Bridging the Week.)
SEC and CFTC registrants generally should ensure they not only have robust policies and procedures addressing cybersecurity, but also ensure such measures are tailored to their firms’ specific business and followed.