On August 7, 2017, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a examining the cybersecurity policies and procedures of 75 broker-dealers, investment advisers and investment companies (collectively, the “firms”). The Risk Alert builds on OCIE’s 2014 Cybersecurity Initiative, a prior cybersecurity examination of the firms, and notes that while OCIE “observed increased cybersecurity preparedness” among the firms since 2014, it “also observed areas where compliance and oversight could be improved.”
Key improvements observed included:
- use of periodic risk assessments, penetration tests and vulnerability scans of critical systems to identify cybersecurity threats and vulnerabilities, as well as potential business consequences of a cybersecurity incident;
- procedures for regular system maintenance, including software patching, to address security updates;
- implementation of written policies and procedures, including response plans and defined roles and responsibilities, for addressing cybersecurity incidents; and
- vendor risk assessments conducted at the outset of an engagement with a vendor and often updated periodically throughout the business relationship.
Key issues observed included:
- failure to reasonably tailor written policies and procedures (e.g., many policies and procedures were written vaguely or broadly, with limited examples of safeguards and limited procedures for policy implementation);
- failure to adhere to or enforce written policies and procedures, or failure to ensure that such policies and procedures reflected firms’ actual practices;
- failure to timely remediate high-risk findings of penetration tests and vulnerability scans; and
- use of outdated operating systems that no were longer supported by security patches.
In addition, the Risk Alert included a list of best practices identified by OCIE as elements of robust cybersecurity programs. These included maintaining:
- an inventory of data, information and vendors;
- instructions for various aspects of cybersecurity protocols, including security monitoring, auditing and testing, as well as incident reporting;
- schedules and processes for cybersecurity testing; and
- “established and enforced” access controls to data and systems.
OCIE further noted that robust cybersecurity programs may include mandatory employee training and vetting and approval of policies and procedures by senior management. OCIE indicated in the Risk Alert that its list of cybersecurity program best practices is not intended to be exhaustive.
OCIE noted that it will continue to prioritize cybersecurity compliance and will examine firms’ procedures and controls, “including testing the implementation of those procedures and controls at firms.”