The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations issued a new Risk Alert this week on cybersecurity. The risk alert summaries observations from their phase 2 cybersecurity examinations conducted in 2015 and 2016. In phase 2, OCIE examined 75 firms, including broker-dealers, investment advisers, and registered funds.
The examinations focused on written policies and procedures regarding cybersecurity and testing the implementation of those procedures. The exams also sought to better understand how firms managed their cybersecurity preparedness by
focusing on
- governance and risk assessment;
- access rights and controls;
- data loss prevention;
- vendor management;
- training; and
- incident response.
What are firms doing right?
- Conducting periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences of a cyber incident.
- Conducting penetration tests and vulnerability scans on systems that the firms considered to be critical
- Using some form of system, utility, or tool to prevent, detect, and monitor data loss as it relates to personally identifiable information.
- Ensuring regular system maintenance, including the installation of software patches to address security
vulnerabilities. - Having business continuity plans and response plans.
- Identifying cybersecurity roles and responsibilities for the firms’ workforce.
- Verifying customer identification before transferring funds
- Conducting vendor risk assessments
What are firms doing wrong?
- Policies and procedures were not reasonably tailored to the organization.
- Not conducting annual reviews
- Not reviewing security protocols at least annually
- Inconsistent instructions on remote access
- Not making sure that all employees received cybersecurity training
- Not fixing problems found in penetration tests
The risk alert finishes with the elements the OCIE sees as indicative of a firm implementing robust cybersecurity controls. I think most CCOs should grab a copy of the risk alert and sit down with their policies and CTOs to see how they stack up against those elements.
Sources: