The SEC has released observations from its Cybersecurity 2 Initiative (as a follow-up to its 2015 OCIE exam initiative). National Examination Program staff examined 75 firms, including broker-dealers, investment advisers, and investment companies (“funds”) registered with the SEC to assess industry practices and legal and compliance issues associated with cybersecurity preparedness.
“The examinations focused on firms’ written policies and procedures regarding cybersecurity, including validating and testing that such policies and procedures were implemented and followed. In addition, the staff sought to better understand how firms managed their cybersecurity preparedness by focusing on the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.” (see Risk Alert)
Generally, the SEC staff found improvement in firms’ awareness of cyber-related risks and the implementation of certain cybersecurity practices. Specifically, all broker-dealers, all funds, and nearly all advisers examined maintained cybersecurity-related written policies and procedures addressing the protection of customer/shareholder records and information.
However, OCIE examiners found the following weaknesses:
- Policies and procedures were not tailored specifically enough and were too general, narrowly scoped or vague.
- Firms don’t appear to be following and/or enforcing policies and procedures.
- Firms are not following through on employee security awareness training.
- Security reviews are not being conducted annually as stated in the policies and procedures.
- Firms are still using outdated operating systems.
- High-risk findings from penetration tests or vulnerability scans did not appear to be fully remediated in a timely manner.
The SEC continues to suggest the following elements to strengthen firms’ security postures:
- Policies and procedures should include inventory of data, information and vendors.
- Detailed instructions should be developed and followed for penetration tests, security monitoring, access rights and reporting.
- Strict schedules should be adhered to for vulnerability scans and patch management.
- Establish and enforce controls to access data and systems.
- Security training should be mandatory for all employees at on-boarding and periodically thereafter.
- Senior management MUST engage in the process for it to be successful.
Cybersecurity remains one of the top compliance risks for financial firms. The OCIE will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms. Contact ACE IT Solutions at 646.558.6358 to ensure that your firm is properly prepared for these exams.
Read the full OCIE Risk Alert here: https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf