SEC Issues Risk Alert on Observations From Cybersecurity Examinations
On August 7, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert summarizing observations of its second round of cybersecurity focused examinations (Cybersecurity 2 Initiative) to assess financial services firms’ practices and legal and compliance issues related to cybersecurity preparedness. The Cybersecurity 2 Initiative is built upon OCIE’s prior round of cybersecurity examinations of broker-dealers and investment advisers, which was initiated in 2014 (Cybersecurity 1 Initiative). In the Cybersecurity 2 Initiative, the OCIE staff examined 75 firms, including broker-dealers, investment advisers and registered investment companies, between September 2015 and June 2016 focusing on the firms’ written cybersecurity policies and procedures, as well as testing the implementation of those policies and procedures. In addition, the staff reviewed the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.
While the staff reported a general improvement in cybersecurity preparedness since the Cybersecurity 1 Initiative, the staff also noted areas where compliance and oversight could be improved. The Risk Alert indicates that all broker-dealers and funds, and nearly all advisers maintained written cybersecurity policies and procedures, but that a majority of those policies and procedures appeared to have deficiencies. Examples of these deficiencies include: (1) policies and procedures not being reasonably tailored to the firm; (2) firms not adhering to or enforcing their policies and procedures; and (3) policies and procedures not reflecting firms’ actual practices. In addition, the staff found Regulation S-P-related issues among firms that did not appear to adequately conduct system maintenance to protect customer records and information. The Risk Alert also sets forth elements that the OCIE staff considers indicative of robust policies and procedures, which may be helpful to firms in assessing and improving their current policies and procedures.
The Risk Alert is available here.