On Aug. 7, 2017, the Securities and Exchange
Commission's Office of Compliance Inspections and Examinations
(OCIE) released a risk alert summarizing
the results of its second cybersecurity preparedness examination.
The examination, which OCIE conducted in 2015 – 2016, covered
a one-year period beginning in October 2014 and surveyed 75
regulated broker-dealers, investment advisers and funds. OCIE's
report observed that financial firms had increased their
cybersecurity preparedness since OCIE's previous cybersecurity
examination, the results of which were released in February 2015.
However, OCIE also found that there were numerous areas where firms
could improve their cybersecurity compliance and
oversight.
OCIE's report highlighted various improvements in the
industry since the previous examination. Notably, all the examined
broker-dealers and funds, and nearly all the examined advisers,
maintained written cybersecurity policies and procedures regarding
protecting customer/shareholder information and records. Further,
the vast majority of examined firms conducted periodic
cybersecurity risk assessments. Additionally, all the examined
firms had implemented some system or tool to prevent, detect, and
monitor data loss pertaining to personally identifiable
information. The report also noted that the majority of examined
firms engaged in penetration testing and conducted vulnerability
scans, obtained or conducted vendor risk assessments, and had a
process for ensuring regular system maintenance.
Despite these positive findings, OCIE observed that the
"vast majority" of examined firms had one or more
cybersecurity deficiencies to address. In particular, OCIE observed
that many firms' cybersecurity policies and procedures were
"not reasonably tailored" because, for example,
"they provided employees with only general guidance,
identified limited examples of safeguards for employees to
consider, were very narrowly scoped, or were vague, as they did not
articulate procedures for implementing the policies." Further,
OCIE observed that firms "did not appear to adhere to or
enforce policies and procedures, or the policies and procedures did
not reflect the firms' actual practices." OCIE noted, for
example, that some firms failed to perform ongoing security reviews
and/or ensure that all employees completed cybersecurity awareness
training. OCIE also found that some firms lacked procedures needed
to address Regulation S-P, which governs the privacy of consumer
financial information.
In order to encourage good practices, OCIE's report
listed various elements of robust policies and procedures. These
elements include:
- Maintaining a complete inventory of data, information and vendors.
- Providing detailed instructions and policies concerning penetration tests, security monitoring, system auditing, access rights and reporting.
- Maintaining prescriptive schedules and processes for testing data integrity and vulnerabilities.
- Establishing and enforcing controls to access data and systems.
- Mandating training for all employees.
- Engaging senior management to vet and approve cybersecurity policies and procedures.
OCIE's report noted that cybersecurity "remains
one of the top compliance risks for financial firms" and that
OCIE "will continue to examine for cybersecurity compliance
procedures and controls, including testing the implementation of
those procedures and controls at firms." With this ongoing
focus and the potential trouble areas identified in OCIE's risk
alert, covered firms should revisit their policies and procedures
to confirm compliance — and consider where improvements could
be made.
Additionally, on Sept. 25, the SEC announced the
creation of a Cyber Unit as part of the Enforcement Division's
efforts to address cyber-based threats. The Cyber Unit will focus
on misconduct such as:
- Market manipulation schemes involving false information spread through electronic and social media.
- Hacking to obtain material non-public information.
- Violations involving distributed ledger technology and initial coin offerings.
- Intrusions into retail brokerage accounts.
- Cyber-related threats to trading platforms and other critical market infrastructure.
Robert A. Cohen, formerly of the Market Abuse Unit, was appointed chief of the Cyber Unit. Meanwhile, the regulator also announced the establishment of a retail strategy task force, which will aim to develop "proactive, targeted initiatives" to identify large-scale misconduct impacting retail investors.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.