SEC OCIE Observations on Cybersecurity
The following article was authored by Richard Heller:
Recently, the Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting its observations from its examination of 75 firms, including broker-dealers, investment advisers and investment companies (Funds) registered with the SEC. The examinations were conducted pursuant to the SEC’s previously-announced Cybersecurity Examination Initiative. In 2015, the OCIE completed its first round of examinations. This second round examined a different population of firms.
The staff focused on the written policies and procedures related to governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response. Notably, in an improvement since its first round of examinations in 2015, the OCIE found that all broker-dealers and nearly all advisers examined maintained cybersecurity-related written policies and procedures addressing the protection of customer/shareholder records and information.
The OCIE noted that: (1) Nearly all broker-dealers and most advisers and funds conducted periodic risk assessments, penetration tests and vulnerability scans, regular system maintenance and vendor risk assessments. (2) All firms utilized some form of system or tool to prevent, detect and monitor data loss of personally identifiable information. (3) Most information protection programs included relevant cyber-related topics. (4) All broker-dealers and most advisers and funds maintained cybersecurity organizations charts.
Despite overall advances since 2015, the OCIE still observed at least one cybersecurity issue with the vast majority of firms: the problems included that some policies were too general and not reasonably tailored to the respective firm’s business. Indeed, the use of templates or off-the-shelf manuals are problematic.
Other firms did not appear to adhere to or enforce policies. Lastly, firms struggled with adequate system maintenance, such as the installation of software patches and other operational safeguards.
According to the OCIE, best practices include:
- Maintenance of a complete inventory of data, information and vendors, along with classification of risks;
- Detailed cyber-security related instructions (e.g., specific information to review the effectiveness of security solutions as part of penetration tests, requests for access were tracked and policies specifically addressed modification of access rights during onboarding, changing of roles, etc.);
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities;
- Established and enforced controls to access data and systems ;
- Mandatory employee training; and
- Engaged senior staff.
Cybersecurity remains one of the top compliance risks for financial firms. Broker-dealers, investment advisors and Funds registered with the SEC would benefit from considering the OCIE’s observations in order to assess and improve their policies, procedures and practices. Appropriate cybersecurity planning will include maintaining and enforcing detailed policies and procedures, as well as developing rapid response capabilities.