OCIE Issues Summary of Observations from Latest Cybersecurity Sweep Exams
On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert providing a summary of the staff’s observations from sweep exams of broker-dealers, investment advisers and funds conducted pursuant to the Cybersecurity Examination Initiative announced on September 15, 2015, referred to by the staff as the “Cybersecurity 2 Initiative.”1 The Risk Alert notes that these latest sweep exams involved more validation and testing of procedures and controls surrounding cybersecurity preparedness than was previously performed, which is reflected in the staff’s observations. In the exams, which included 75 broker-dealers, investment advisers and registered funds, the staff reviewed firms’ cybersecurity policies and procedures, which included validation and testing to determine if the policies and procedures were implemented and followed. In addition, to better understand how firms managed their cybersecurity preparedness, the staff focused on the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.
Notably, the staff observed an overall improvement in firms’ awareness of cyber-related risks and the implementation of certain cybersecurity practices since OCIE’s 2014 “Cybersecurity 1 Initiative”-related sweep exams. In particular, the staff noted that all broker-dealers, all funds and nearly all advisers examined maintained written cybersecurityrelated policies and procedures addressing the protection of customer and shareholder records and information, in contrast to the staff’s observations following the Cybersecurity 1 Initiative, in which “comparatively fewer brokerdealers and advisers had adopted this type of written policies and procedures.”
Issues Noted by the Staff and Areas for Improvement
Despite these noted improvements, the staff’s observations highlight certain areas “where compliance and oversight could be improved”:
• “ Reasonably Tailored ” Cybersecurity Policies and Procedures . Despite the staff’s overall observation as to the widespread adoption of written policies and procedures, the staff found that “a majority of the firms’ information protection policies and procedures appeared to have issues,” including policies and procedures that were not sufficiently detailed because they provided employees with “only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague, as they did not articulate procedures for implementing the policies.”
•Adherence to or Enforcement of Policies and Procedures . Other issues noted by the staff in connection with policies and procedures included the apparent failure of firms to adhere to or enforce their policies and procedures or that policies and procedures did not reflect the firms’ actual practices. For instance, certain policies called for ongoing reviews to determine whether supplemental security protocols were appropriate, when, in fact, such reviews were performed only annually, or not at all. Similar observations were made with respect to certain policies requiring all employees to complete cybersecurity awareness training; firms did not appear to ensure this training took place or that action was taken with respect to employees who did not complete the training.
•Lack of Remediation Efforts . A number of firms did not appear to fully remediate some of the highrisk observations that they discovered from conducting penetration tests and vulnerability scans on critical systems.
•Issues with Security Patches . A few firms had a significant number of system patches that included critical security updates that had not yet been installed. The staff also identified firms that used outdated operating systems that were no longer supported by security patches.
•Incident Response Plans . Although the “vast majority” of broker-dealers maintained response plans for data breach incidents and most had plans for notifying customers of material events, fewer than two-thirds of the advisers and funds appeared to maintain such plans.
•Formal Processes for Verifying Fund Transfers . Some of the broker-dealers did not appear to memorialize their processes for confirming authority to transfer customer funds to third-party accounts into written supervisory procedures. Instead, these broker-dealers appeared to have informal practices for verifying customers’ identities in order to proceed with requests to transfer funds.
Elements of Robust Policies and Procedures
In addition to the issues observed by the staff, the Risk Alert includes observations regarding elements of cybersecurity policies and procedures of firms that the staff believes had implemented “robust controls.” Although the staff cautions that this should not be viewed as a comprehensive list, firms are advised that the following elements could be useful in the implementation of cybersecurity-related policies and procedures:
•Maintenance of a comprehensive inventory of data, including risk classifications, and information about each service provider and vendor.
•Detailed cybersecurity-related instructions, including specific penetration tests, security monitoring, system auditing and reporting flow charts.
•Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities, with prioritized action items based on testing results, as well as patch management policies to seek to ensure that system updates do not have unintended consequences.
•Established and enforced controls to access data and systems, including detailed “acceptable use” policies, mobile device controls and third-party vendor access controls.
•Mandatory employee training at on-boarding and periodically thereafter.
•Engaged senior management who vetted and approved the policies and procedures.
The Risk Alert notes that OCIE will continue examining firms’ cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls
1 As the staff explains in the Risk Alert, the Cybersecurity 2 Initiative built upon prior cybersecurity sweep exams, particularly OCIE’s “Cybersecurity 1 Initiative.” See https://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix... (April 15, 2014) and https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-s... (February 3, 2015). The staff examined a different population of firms in the Cybersecurity 2 Initiative than those that were examined in the Cybersecurity 1 Initiative.