Recent SEC Observations from Cybersecurity Examinations
The Securities and Exchange Commission (the "SEC") Office of Compliance Inspections and Examinations (the "OCIE" or the "Staff") examined 75 firms registered with the SEC to assess industry practices and legal and compliance issues associated with cybersecurity examinations. According to a National Exam Program Risk Alert issued on August 7, 2017, the examinations focused on the following areas: governance and risk assessment; access rights and controls; data loss prevention; vendor management; training; and incident response. The Staff noted an overall improvement in firms' awareness of cyber-related risks and the implementation of certain cybersecurity practices. Most notably - all broker-dealers, all funds, and nearly all advisers examined maintained cybersecurity-related written policies and procedures addressing the protection of customer/shareholder records and information. However, the Staff noted that firms should continue to focus on the following cybersecurity related areas to improve their compliance programs, as follows: • Policies and procedures must be tailored to a firm's specific needs. General guidance is not sufficient. In addition, firms should follow up and take action with employees that missed cybersecurity awareness training sessions. • Firms should conduct on-going system maintenance to address security vulnerabilities and implement other operational safeguards to protect customer records and information. For example, operating systems should be updated and certain findings from vulnerability scans should be addressed in a timely manner. • Firms should ensure that their software patching is current. • Firms should conduct on-going cyber due diligence of their vendors.
Conclusion: Cybersecurity remains one of the top compliance risks for financial firms. As noted in the OCIE 2017 priorities, the Staff will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms. If you need guidance regarding your cybersecurity procedures, please contact Daniel G. Viola at 212.573.8038, firstname.lastname@example.org.
Link to the OCIE Risk Alert: https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf