The United States Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) recently conducted its Cybersecurity 2 Initiative (Initiative). The Initiative consisted of an examination by OCIE of 75 businesses, including investment companies, investment advisers, and broker-dealers (collectively, the Firms). OCIE reported its observations from the Initiative in a recent Risk Alert.1 The Initiative focused on the Firms' written policies and procedures regarding cybersecurity and included validation and testing that such policies and procedures were implemented and followed.
In general, OCIE observed that Firms had increased their cybersecurity preparedness since OCIE's 2014 Cybersecurity 1 Initiative.2 However, OCIE noted specific areas where compliance and oversight could be improved. A summary of OCIE's observations, including issues and robust practices identified by the organization, follows.
OCIE observed that most Firms conducted (i) periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and business consequences, and (ii) penetration tests and vulnerability scans. In addition, all Firms utilized some system, utility, or tool to prevent, detect, and monitor data loss related to personally identifiable information. In contrast, OCIE's observations included several issues at many Firms, depending, in part, on the type of firm. For example:
- A number of Firms did not appear to fully remediate risks discovered from tests and scans.
- A number of Firms failed to install critical software security patches in connection with regular system maintenance.
- Many advisers and funds did not appear to maintain their incident response plans related to data breach incidents and notifying customers or clients.
- Some Firms did not appear to memorialize, as part of their written supervisory procedures, their authority to transfer client/customer funds to third-party accounts.
Specific Issues Identified by OCIE
OCIE provided more detail with respect to many of the issues identified pursuant to the Initiative. For example, although most Firms kept up-to-date written policies and procedures for the protection of client data, many did not enforce those policies. OCIE noted that many of the Firms' actual practices diverged from their stated goals. Additionally, OCIE noted that Firms should tailor their policies to their business and should avoid creating contradictory or confusing instructions for employees, particularly with respect to certain areas, such as remote access and investor fund transfers. Finally, some issues implicated Regulation S-P, including the use of outdated operating systems and the failure to correct high-risk vulnerabilities when identified.
Robust Policies and Procedures
OCIE also highlighted the following elements of robust cybersecurity policies and procedures:
- Firms generally kept a complete inventory of data and information and classified it by risk, vulnerabilities, and other criteria.
- Firms' policies and procedures included detailed cybersecurity-related instructions, including with respect to penetration tests, security monitoring and system auditing, access rights, and reporting.
- Many Firms maintained schedules and processes for testing data integrity and vulnerabilities, such as scans of core IT infrastructure and patch management policies.
- Other Firms required strict controls, including passwords and other encryption, for mobile devices that connected to the Firms' systems.
- Finally, some Firms strictly traced an employee's access rights throughout his or her time with the company, noting how and when the rights changed.
The Initiative and OCIE's related observations reinforce the priorities set forth in OCIE's 2017 Priorities Letter (a copy of which can be accessed here). OCIE's continued scrutiny of the industry's cybersecurity programs, policies, and procedures merits ongoing diligence, assessments, and improvements by regulated firms. To read more about OCIE's cybersecurity examination observations, click here.