The Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) recently issued a Risk Alert highlighting its observations from its examinations of 75 firms, including broker-dealers, investment advisers and fund companies registered with the SEC. The examinations were conducted pursuant to the SEC’s previously announced Cybersecurity Examination Initiative. In 2015, OCIE completed its first round of examinations. This second round, conducted between September 2015 and June 2016, examined a different population of firms. The second round of examinations involved more validation and testing of the procedures and controls surrounding cybersecurity preparedness.
OCIE staff focused on the written policies and procedures related to governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response. Notably, in an improvement since its first round of examinations in 2015, OCIE found that all broker-dealers and nearly all advisers examined maintained written cybersecurity-related policies and procedures addressing the protection of customer/shareholder records and information.
OCIE noted that:
- Nearly all broker-dealers and most advisers and funds conducted periodic risk assessments, penetration tests and vulnerability scans, regular system maintenance and vendor risk assessments.
- All firms utilized some form of system or tool to prevent, detect and monitor data loss of personally identifiable information.
- Most information protection programs included relevant cyber-related topics.
- All broker-dealers and most advisers and funds maintained cybersecurity organization charts.
Despite overall advances since 2015, OCIE observed that the vast majority of firms still had some policies that were too general and not reasonably tailored to the respective firm’s business. Indeed, OCIE indicated that the use of templates or off-the-shelf manuals is problematic.
Other firms did not appear to adhere to or enforce policies. Lastly, firms struggled with adequate system maintenance, such as the installation of software patches and other operational safeguards.
According to OCIE, best practices include:
- Maintenance of a complete inventory of data, information and vendors, along with classification of risks;
- Maintenance of detailed cyber-security related procedures (e.g., to review the effectiveness of security solutions as part of penetration tests, to track requests for access and to address modification of access rights during onboarding, changing of roles, etc.);
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities;
- Established and enforced controls to access data and systems; • Mandatory employee training; and
- Engaged senior staff.
As recent high-profile hacks have shown, cybersecurity remains one of the top compliance risks for financial firms. While the findings of the SEC’s Cybersecurity Examination Initiative does not create a regulatory mandate, it provides valuable insight into what may be evolving industry best practices. Effective cybersecurity programs should contain, at minimum, the basic components needed to address the specific deficiencies highlighted in the Risk Alert. The absence of those components in a financial firm’s policies and procedures may expose that firm to increased cybersecurity risks. Broker-dealers, investment advisers and funds registered with the SEC would benefit from considering OCIE’s observations in order to assess and improve their policies, procedures and practices. Cybersecurity planning should include maintaining and enforcing detailed policies and procedures, as well as developing rapid response capabilities.