On August 7, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert entitled “Observations from Cybersecurity Examinations,” which provides findings and observations concerning industry practices and legal and compliance issues related to cybersecurity preparedness. The SEC examined 75 SEC registered firms as part of its Cybersecurity 2 Initiative and noted an improvement overall in terms of (i) creating and implementing cybersecurity policies and procedures and response plans; (ii) conducting periodic risk assessments to identify threats and vulnerabilities; (iii) implementing measures to ensure regular system maintenance checks; (iv) maintaining processes for identifying cybersecurity roles and responsibilities; (v) receiving authority from customers and shareholders concerning fund transfer authority; and (vi) conducting vendor risk assessments or requiring risk management from vendors. However, the SEC identified areas in need of improvement, such as failure to tailor or enforce policies and procedures or conduct adequate system maintenance to safeguard customer information. Also included in the alert are examples of best practices and guidance for firms to follow when implementing cybersecurity-related policies and procedures.
Separately, that same day the International Monetary Fund (IMF) released a working paper discussing cyber risk awareness and the policy measures, regulatory frameworks, and supervisory measures affecting financial institutions’ approaches to systemic cyber risk. The IMF paper, entitled “Cyber Risk, Market Failures, and Financial Stability,” presents an overview of recent cyberattacks on the financial services industry, and stresses that cyber risk management requires that risks identified as part of a threat identification process must be “actively managed” to “ensure that cybersecurity-related measures are appropriate for and commensurate with the underlying risk.” Risk avoidance, risk reduction, and risk transfer are options for effective management. The paper further notes that, as a result of a predominance of cyber risk assessment centering on individual institutions (which constructs a relatively narrow view), insufficient attention has been given to systemic cyber risk that occurs commonly when financial institutions are exposed to “access vulnerabilities, risk concentration, risk correlations, or contagion effects (including through reputational channels).” The paper states that a need exists for regulatory reform and effective policy change “to build resilience through investment in cyber security while giving institutions flexibility to address the risks in the way they see as optimal.” Suggestions for measures—including national and international coordination—to strengthen resilience to cyber risk are also provided.