On August 7, 2017, the Securities and Exchange Commission (SEC) released its latest cybersecurity risk alert, detailing findings from the examination of 75 broker-dealers, investment advisers and investment companies carried out by its Office of Compliance Inspections and Examinations (OCIE) pursuant to its 2015 cybersecurity examination initiative. In contrast with the previous round of examinations, the Cybersecurity 2 Initiative focused more on validating and testing cybersecurity procedures and controls, with the alert highlighting improvements, deficiencies and best practices for registered firms.
Although OCIE noted improvements across the board (with all or “nearly all” broker-dealers leading advisers and investment companies in a number of areas), it also identified a number of deficiencies.
Written Policies and Procedures
Firms generally scored high marks on maintaining written policies and procedures addressing cybersecurity, including Regulation S-P, Regulation S-ID, business continuity planning, the cybersecurity roles and responsibilities of their employees, and their response procedures to access incidents and intrusions that could cause service disruptions or lead to data breaches.
OCIE determined that some policies and procedures were not reasonably tailored, offering only “general guidance” and “limited examples of safeguards” or because they were “narrowly scoped” or “vague,” or were perceived as providing “contradictory or confusing instructions” that employees might find difficult to follow.
Some firms also did not follow their policies and procedures, conducting reviews less frequently than prescribed or failing to ensure that all employees completed their required cybersecurity awareness training. And other policies and procedures were stale. For example, OCIE reported that “less than two thirds” of advisers and funds appeared to maintain their data breach incident response plans.
Nearly all” broker-dealers and the “vast majority” of advisers and investment companies conducted periodic risk assessments of their information systems.
“Almost all firms” conducted initial risk assessments of third-party service providers either directly or through various reports or certifications at the outset, and “over half of the firms” updated these assessments at least annually.
Penetration Testing and Vulnerability Scans
“Nearly all” broker-dealers and “almost half” of advisers and investment companies conducted penetration tests and vulnerability scans on “critical” systems.
A “number” of firms failed to fully remediate certain risks identified through their penetration tests and vulnerability scans.
Data Loss Prevention
All broker-dealers and “nearly all” advisers and investment companies instituted procedures to maintain their information systems.
A “few” firms failed to install system patches, including security updates, while others used outdated operating systems that no longer receive security patches.
All advisers and investment companies maintained written policies and procedures to verify the identity of a customer requesting a funds transfer.
Some broker-dealers failed to memorialize customer verification procedures for funds transfers, relying instead on informal practices for confirming a customer’s identity prior to honoring transfer requests. As scams involving fraudulent wire transfers proliferate, formal procedures and redundant safeguards to protect against unauthorized requests are key.
Best Practices. OCIE also provided a noncomprehensive list of best practices identified during its examinations, suggesting that firms consider implementing these measures to bolster their cybersecurity programs. In addition to encouraging firms to undertake the compliance efforts discussed above, OCIE recommended that firms consider steps such as:
- Maintaining an inventory of their information assets and associated vendors, as applicable, classified by risks and vulnerabilities. This recommendation appears to go hand in hand with a firm’s ability to conduct its periodic risk assessments.
- Tracking requests to access information systems, including policies and procedures for modifying access rights when hiring, terminating or changing responsibilities of employees. Although the risk alert did not specifically reference third-party service providers here, this recommendation likely would apply to them as well.
- Requiring and enforcing restrictions and controls for mobile devices that access information systems, including password protection and encryption. This recommendation acknowledges evolving business practices, the ubiquity of mobile devices and the necessity of remote access.
Because cybersecurity remains one of the SEC’s top priorities, registered firms should, among other things, measure themselves against these improvements, deficiencies and best practices to ensure they are keeping up with regulatory expectations.