On August 7, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert summarizing the results of its second cybersecurity preparedness examination. The examination, which OCIE conducted in 2015-2016, covered a one-year period beginning in October 2014 and surveyed 75 regulated broker-dealers, investment advisers and funds. OCIE’s report observed that financial firms had increased their cybersecurity preparedness since OCIE’s previous cybersecurity examination, the results of which were released in February 2015. However, OCIE also found that there were numerous areas where firms could improve their cybersecurity compliance and oversight.
OCIE’s report highlighted various improvements in the industry since the previous examination. Notably, all of the examined broker-dealers and funds, and nearly all of the examined advisers, maintained written cybersecurity policies and procedures regarding protecting customer/shareholder information and records. Further, the vast majority of examined firms conducted periodic cybersecurity risk assessments. Additionally, all of the examined firms had implemented some way of preventing, detecting and monitoring data loss pertaining to personally identifiable information. The report also noted that the majority of examined firms engaged in penetration testing and conducted vulnerability scans, obtained or conducted vendor risk assessments, and had a process for ensuring regular system maintenance.
Despite these positive findings, OCIE observed that the “vast majority” of examined firms had one or more cybersecurity deficiencies to address. In particular, OCIE observed that many firms’ cybersecurity policies and procedures were “not reasonably tailored” because, for example, “they provided employees with only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague, as they did not articulate procedures for implementing the policies.” Further, OCIE observed that firms “did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices.” (OCIE noted, for example, that some firms failed to perform ongoing security reviews and/or ensure that all employees completed cybersecurity awareness training.) OCIE also found that some firms lacked procedures needed to address Regulation S-P, which governs the privacy of consumer financial information.
In order to encourage good practices, OCIE’s report listed various elements of robust policies and procedures. These elements include:
Maintaining a complete inventory of data, information and vendors.
Providing detailed instructions concerning penetration tests, security monitoring, system auditing, access rights and reporting.
Maintaining prescriptive schedules and processes for testing data integrity and vulnerabilities.
Establishing and enforcing controls to access data and systems.
Mandating training for all employees.
Engaging senior management to vet and approve cybersecurity policies and procedures.
OCIE’s report noted that cybersecurity “remains one of the top compliance risks for financial firms” and that OCIE “will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms.”
The full OCIE report is available here.