Cybersecurity improvements still fall short of SEC expectations

Earlier this week, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released a Risk Alert on cybersecurity examination findings from its Cybersecurity 2 Initiative. This Initiative was more in-depth than Cybersecurity 1 and focused on how firms implemented data security controls. Examiners tested firm procedures to determine if those procedures could identify and mitigate actual or potential security breaches. Exams focused on the following areas:

  • Governance and risk assessment
  • Access rights and controls
  • Data loss prevention
  • Vendor management
  • Training
  • Incident response

Overall, the Staff found many improvements amongst broker-dealers, investment companies, and investment advisers since the Cybersecurity 1 Initiative. However, investment advisers continue to be the laggards in the industry and several issues were observed that still require attention by firms, including:

  1. Written Response Plans – less than two thirds of investment advisers and funds had written response plans
  2. Lack of Customized Policies – firms tended to utilize off-the-shelf plans that lacked specific details for employees to implement the policies
  3. Polices Not Enforced or Did Not Reflect Actual Practice – policies did not match practice regarding timing of activities performed, or contained contradictory instructions to employees, or had a lack of training guidelines or enforcement
  4. Regulation S-P Deficiencies – firms had insufficient system maintenance or failed to install software patches to address system vulnerabilities
  5. Stale Risk Assessments – firms utilized outdated operating systems not supported by current patches
  6. Lack of Remediation Efforts – firm findings from previous penetration or vulnerability testing were not adequately addressed or mitigated

The Staff took the opportunity to also address several positive actions firms have taken and cited several examples of successful cybersecurity practices.

View OCIE’s National Exam Program Risk Alert, “Observations from Cybersecurity Examinations,” August 7, 2017.