September 19, 2021

Volume XI, Number 262

Advertisement

September 17, 2021

Subscribe to Latest Legal News and Analysis

SEC Issues Risk Alert on Observations From Cybersecurity Examinations

On August 7, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert summarizing observations of its second round of cybersecurity focused examinations (Cybersecurity 2 Initiative) to assess financial services firms’ practices and legal and compliance issues related to cybersecurity preparedness. The Cybersecurity 2 Initiative is built upon OCIE’s prior round of cybersecurity examinations of broker-dealers and investment advisers, which was initiated in 2014 (Cybersecurity 1 Initiative). In the Cybersecurity 2 Initiative, the OCIE staff examined 75 firms, including broker-dealers, investment advisers and registered investment companies, between September 2015 and June 2016 focusing on the firms’ written cybersecurity policies and procedures, as well as testing the implementation of those policies and procedures. In addition, the staff reviewed the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.

While the staff reported a general improvement in cybersecurity preparedness since the Cybersecurity 1 Initiative, the staff also noted areas where compliance and oversight could be improved. The Risk Alert indicates that all broker-dealers and funds, and nearly all advisers maintained written cybersecurity policies and procedures, but that a majority of those policies and procedures appeared to have deficiencies. Examples of these deficiencies include: (1) policies and procedures not being reasonably tailored to the firm; (2) firms not adhering to or enforcing their policies and procedures; and (3) policies and procedures not reflecting firms’ actual practices. In addition, the staff found Regulation S-P-related issues among firms that did not appear to adequately conduct system maintenance to protect customer records and information. The Risk Alert also sets forth elements that the OCIE staff considers indicative of robust policies and procedures, which may be helpful to firms in assessing and improving their current policies and procedures.

The Risk Alert is available here.

©2021 Katten Muchin Rosenman LLPNational Law Review, Volume VII, Number 230
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David Y. Dickstein, Financial Services Lawyer, Katten muchin law firm
Partner

David Dickstein represents broker-dealers, investment advisers, investment companies and hedge funds in connection with a variety of regulatory, compliance and operational matters. David regularly counsels investment advisers on registration and regulatory matters, such as the need for registration, conflict of interest disclosures, soft dollars and best execution, firm advertising and marketing, federal and state pay-to-play matters, trade allocations and personal trading. He also advises broker-dealers on registration and ongoing compliance matters, mutual fund supermarkets...

212-940-8506
Advertisement
Advertisement
Advertisement