The Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) recently issued a Risk Alert highlighting its observations from its examinations of 75 firms, including broker-dealers, investment advisers and fund companies registered with the SEC. The examinations were conducted pursuant to the SEC’s previously announced Cybersecurity Examination Initiative. In 2015, OCIE completed its first round of examinations. This second round examined a different population of firms.
OCIE staff focused on written policies and procedures related to governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response. Notably, in an improvement since its first round of examinations in 2015, OCIE found that all broker-dealers and nearly all advisers examined maintained written cybersecurity-related policies and procedures addressing the protection of customer/shareholder records and information.
OCIE noted that:
- Nearly all broker-dealers and most advisers and funds conducted periodic risk assessments, penetration tests and vulnerability scans, regular system maintenance and vendor risk assessments.
- All firms utilized some form of system or tool to prevent, detect and monitor data loss of personally identifiable information.
- Most information protection programs included relevant cyber-related topics.
- All broker-dealers and most advisers and funds maintained cybersecurity organization charts.
Despite overall advances since 2015, OCIE observed that the vast majority of firms still had some policies that were too general and not reasonably tailored to the respective firm’s business. Indeed, OCIE indicated that the use of templates or off-the-shelf manuals is problematic.
Other firms did not appear to adhere to or enforce policies. Lastly, firms struggled with adequate system maintenance, such as the installation of software patches and other operational safeguards.
According to OCIE, best practices include:
- Maintenance of a complete inventory of data, information and vendors, along with classification of risks;
- Maintenance of detailed cybersecurity-related procedures (e.g., to review the effectiveness of security solutions as part of penetration tests, to track requests for access and to address modification of access rights during onboarding, changing of roles, etc.);
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities;
- Established and enforced controls to access data and systems;
- Mandatory employee training; and
- Engaged senior staff.
Cybersecurity remains one of the top compliance risks for financial firms. Broker-dealers, investment advisers and funds registered with the SEC would benefit from considering OCIE’s observations in order to assess and improve their policies, procedures and practices. Cybersecurity planning should include maintaining and enforcing detailed policies and procedures, as well as developing rapid response capabilities.