June 20, 2018

June 19, 2018

Subscribe to Latest Legal News and Analysis

June 18, 2018

Subscribe to Latest Legal News and Analysis

SEC Issues Risk Alert on Observations From Cybersecurity Examinations

On August 7, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert summarizing observations of its second round of cybersecurity focused examinations (Cybersecurity 2 Initiative) to assess financial services firms’ practices and legal and compliance issues related to cybersecurity preparedness. The Cybersecurity 2 Initiative is built upon OCIE’s prior round of cybersecurity examinations of broker-dealers and investment advisers, which was initiated in 2014 (Cybersecurity 1 Initiative). In the Cybersecurity 2 Initiative, the OCIE staff examined 75 firms, including broker-dealers, investment advisers and registered investment companies, between September 2015 and June 2016 focusing on the firms’ written cybersecurity policies and procedures, as well as testing the implementation of those policies and procedures. In addition, the staff reviewed the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.

While the staff reported a general improvement in cybersecurity preparedness since the Cybersecurity 1 Initiative, the staff also noted areas where compliance and oversight could be improved. The Risk Alert indicates that all broker-dealers and funds, and nearly all advisers maintained written cybersecurity policies and procedures, but that a majority of those policies and procedures appeared to have deficiencies. Examples of these deficiencies include: (1) policies and procedures not being reasonably tailored to the firm; (2) firms not adhering to or enforcing their policies and procedures; and (3) policies and procedures not reflecting firms’ actual practices. In addition, the staff found Regulation S-P-related issues among firms that did not appear to adequately conduct system maintenance to protect customer records and information. The Risk Alert also sets forth elements that the OCIE staff considers indicative of robust policies and procedures, which may be helpful to firms in assessing and improving their current policies and procedures.

The Risk Alert is available here.

©2018 Katten Muchin Rosenman LLP


About this Author

Ayah Sultan, Katten Law Firm, Financial Services Attorney

Ayah Sultan is an associate in the Financial Services practice. 

While in law school, Ayah served as an editor of the Harvard Business Law Review, a member of the Harvard Law Entrepreneurship Project and a board member of the Women's Law Association.

David Y. Dickstein, Financial Services Lawyer, Katten muchin law firm

David Dickstein represents broker-dealers, investment advisers, investment companies and hedge funds in connection with a variety of regulatory, compliance and operational matters. David regularly counsels investment advisers on registration and regulatory matters, such as the need for registration, conflict of interest disclosures, soft dollars and best execution, firm advertising and marketing, federal and state pay-to-play matters, trade allocations and personal trading. He also advises broker-dealers on registration and ongoing compliance matters, mutual fund supermarkets on mutual fund distribution issues and brokerage and advisory firms on structuring and offering wrap fee programs and other financial products. In addition, David provides assistance in responding to Securities and Exchange Commission (SEC) investigations and examinations and in conducting compliance audits and regulatory reviews.