By Jacquelyn Lumb
The SEC’s Office of Compliance Inspections and Examinations has seen an improvement in firms’ awareness of cyber-related risks and in the implementation of cybersecurity practices since its first cybersecurity examination initiative undertaken in 2014. OCIE recently released a summary of its observations following cybersecurity examinations of 75 broker-dealers, investment advisers, and investment companies. The staff assessed industry practices and compliance with cybersecurity preparedness and included more validation and testing of procedures and controls than in previous examinations.
Policies and procedures. The staff found that all of the broker-dealers, all funds, and most the advisers had written policies and procedures to address the protection of customer or shareholder records and information. Most of the registrants conducted periodic risk assessments, penetration tests, and vulnerability scans of critical systems. All of the firms had methods for detecting data loss relating to personally identifiable information.
Maintenance and response. All of the broker-dealers and most of the funds and advisers had maintenance systems, including software patches to address security vulnerabilities, but some of the firms had not installed critical security updates. Most of the broker-dealers had plans for data breach incidents and for notifying customers of material events, but less than two-thirds of the funds and advisers had such plans. Almost all of the firms conducted vendor risk assessments or required vendors to provide their risk management and performance reports and security reviews or certification reports.
Areas for improvement. The staff concluded that firms could improve in a number of areas, including the adoption of more tailored policies and procedures in place of general or vague guidance; the enforcement of policies such as conducting required annual customer protection reviews and cybersecurity awareness training, and conducting adequate system maintenance, such as the installation of software patches to address vulnerabilities.
Best practices. OCIE also reported on a number of elements found during the review that reflected robust controls, including the maintenance of inventories of data, information, and vendors, and maintaining detailed cybersecurity-related instructions on conducting penetration tests, security monitoring and system auditing, access rights, and reporting of incidents. Some firms had prescriptive schedules and processes for testing data integrity and vulnerabilities; established and enforced controls to access data and systems; had mandatory employee training; and had policies and procedures that were vetted and approved by senior management.
OCIE advised that cybersecurity remains a top compliance risk for financial firms and the staff will continue to examine for compliance procedures and controls.