On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert containing examiners’ latest observations regarding cybersecurity. OCIE’s Cybersecurity 2 Initiative is a follow-up to its Cybersecurity 1 Initiative, which was launched in 2014. In its most recent cybersecurity initiative, staff from the National Examination Program examined 75 broker-dealers, Registered Investment Advisers, and investment companies.
During OCIE’s Cybersecurity 2 Initiative, examinations focused on firms’ written policies and procedures relating to cybersecurity and how they were validated and tested. Examiners increased their scrutiny of validation and testing to ensure that cybersecurity policies and procedures were fully implemented and adhered to by members of the firm. As we all know, policies and procedures are worthless if they are being ignored and are not strictly enforced.
Examiners scrutinized how firms managed their cybersecurity preparedness by focusing on:
- Governance and risk assessment;
- Access rights and controls;
- Data loss prevention;
- Vendor management;
- Training; and
- Incident response.
Although examiners found there was an overall improvement in firms’ awareness of cyber-related risks and had taken steps to address them, there were a number of areas that still needed to be improved. Examiners observed that policies and procedures were not reasonably tailored to the cyber risks faced by the firm. They only provided employees with general guidance and were sometimes vague.
In many instances, firms did not adhere to or enforce policies and procedures. In some instances, those policies and procedures did not reflect firms’ actual practices. Although employees were required to complete cybersecurity awareness training, firms did not always ensure that this took place. Furthermore, they did not take action against employees who failed to complete the training.
Examiners also encountered deficiencies related to Regulation S-P. Firms did not appear to conduct adequate system maintenance, such as installing software patches to address security vulnerabilities. The firms also lacked operational safeguards to protect customer records and information. In addition, high-risk findings from penetration tests or vulnerability scans were not dealt with in a timely manner.
OCIE’s Risk Alert can be found at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf. We will look more closely at this Risk Alert in the September, 2017 newsletter.