The National Exam Program of the SEC’s Office of Compliance Inspections and Examinations (OCIE) recently published its observations from the second generation of its Cybersecurity Initiative. It reported overall improvement in firms’ cybersecurity awareness and preparedness, but said there is plenty of room for improvement. The staff noted that many firms have failed to adopt procedures reasonably tailored to their specific needs, and identified how firms can develop a more robust control environment.

OCIE examined 75 firms, including broker-dealers, investment advisers, and registered funds. It said that it conducted more validation and testing of the firms’ policies and procedures than during prior cybersecurity examinations and focused its testing on: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.