In August 2017, the SEC’s Office of Compliance Inspection and Examinations (OCIE) issued a Risk Alert outlining observations from its “Cybersecurity 2 Initiative,” which was built upon its 2014 “Cybersecurity 1 Initiative.” Notably, this alert offered a rare industry compliment, describing “an overall improvement” in cybersecurity practices and processes since the Cybersecurity 1 Initiative. Below we summarize the OCIE staff’s observations, certain criticisms and their descriptions of robust policies, procedures and practices.
OCIE staff’s general examination observations included that many firms:
- Conducted periodic cybersecurity risk assessments;
- Conducted penetration tests and vulnerability scans;
- Utilized tools to prevent, detect and monitor for data loss related to personally identifiable information;
- Had processes in place for ensuring regular system maintenance checks;
- Had policies and procedures that addressed Regulation S-P, business continuity and incident response plans;
- Identified cybersecurity roles and responsibilities;
- Had policies, procedures and processes regarding account verification; and
- Conducted vendor risk assessments or required that vendors provide firms with their own assessments.
The staff also identified areas of needed improvement by firms, such as:
- General cybersecurity policies and procedures not tailored to firms’ businesses;
- Failure to conduct annual customer protection reviews on a consistent basis;
- Supplemental security protocol reviews performed only annually or not at all;
- Contradictory or confusing instructions regarding practices such as remote access and fund transfers;
- Lax oversight of cybersecurity training; and
- Regulation S-P issues such as stale risk assessments and lack of remedial efforts related to penetration tests and vulnerability scans.
The staff then advised the industry of its views on certain robust policies, procedures and practices, and recommended that firms consider implementing:
- Maintenance of an inventory of data, information and vendors;
- Detailed cybersecurity-related instructions;
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities;
- Established and enforced controls to access data and systems;
- Mandatory employee training; and
- Engaged senior management.
OCIE concluded this alert by reminding firms that examining for cybersecurity compliance procedures and controls, including the testing of the implementation of these procedures and controls, will remain an SEC priority.
As part of the SEC’s ongoing prioritization of cybersecurity issues, in late September 2017, the SEC announced the creation of a Division of Enforcement specialty “Cyber Unit.” Thus, in addition to the increased regulatory scrutiny by OCIE, the industry can expect more cyber enforcement actions in the future.
For more detailed broker-dealer guidance regarding managing cybersecurity risks, we recommend referencing FINRA’s “Report on Cybersecurity Practices.” This report provides broker-dealers with more descriptive guidance that can be applied by firms proactively to improve their cybersecurity policies, procedures and processes. Firms can apply this guidance and the guidance in OCIE’s alerts to strive for best practices to avoid the SEC’s new “Cyber Unit.”