On May 17, 2017, the SEC's Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting the importance of conducting penetration tests and vulnerability scans on critical systems as well as performing ongoing systems maintenance and implementing system upgrades on a timely basis.
The Risk Alert highlighted for firms the risks and issues the staff has identified during examinations of broker-dealers, investment advisers and investment companies regarding cybersecurity preparedness. In addition, the Risk Alert describes factors firms may consider to (1) assess their supervisory, compliance and/or other risk management systems related to cybersecurity risks, and (2) make any changes, as may be appropriate, to address or strengthen such systems. The SEC staff also noted appropriate planning to address cybersecurity issues, including developing a rapid response capability, is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.
OCIE emphasized these factors are not exhaustive, nor will they constitute a safe harbor, and factors other than those described in this Risk Alert may be appropriate to consider.