As financial services firms grow increasingly dependent on digital technologies, they become more vulnerable to cyberattacks. As a result, cybersecurity has become one of the biggest challenges these firms face and a top priority for the SEC, the Financial Industry Regulatory Authority (FINRA) and other regulators.
On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert summarizing its observations from cybersecurity examinations. The alert urges SEC-registered firms to include elements in their cybersecurity policies and procedures that have been embraced by firms with the most robust controls.
In April 2014, the OCIE launched a cybersecurity initiative designed to assess cybersecurity preparedness in the securities industry, examining 57 registered broker-dealers and 49 registered investment advisers. More recently, as part of its “Cybersecurity 2” initiative, the OCIE examined 75 SEC-registered firms — including broker-dealers, investment advisers and investment companies — building on its previous (“Cybersecurity 1”) initiative but performing additional validation and testing. The examinations focused on firms’ written cybersecurity policies and procedures and tested the degree to which they were implemented and followed.
In general, the OCIE has observed improved cybersecurity preparedness since its Cybersecurity 1 initiative. But it also sees room for improvement at a majority of firms. For example, many firms’ policies and procedures provide only general or vague guidance rather than being tailored to the firm’s specific circumstances. And at many firms, there’s a disconnect between policies and procedures and actual practices. The OCIE staff observed system maintenance issues related to safeguarding customer records and information. These include failure to install the latest security patches and address high-risk findings from penetration tests and vulnerability scans in a timely manner.
The alert identifies several elements included in the policies and procedures of firms that have implemented “robust” controls. They include:
- Maintenance of a complete inventory of data and information — together with classifications of risks, vulnerabilities, data, business consequences and other information — regarding each service provider or vendor;
- Detailed instructions on cybersecurity-related activities, including penetration tests, security monitoring and system auditing, access rights, and reporting;
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities, such as vulnerability scans and security patch management policies;
- Established and enforced data- and systems-access controls that involved 1) detailed acceptable use policies, 2) mobile device restrictions and controls, 3) requirements for vendors to provide periodic logs of their activities on the firm’s networks, and 4) requirements for immediately cutting off access by terminated employees; and
- Mandatory information security training for employees when they were new and periodically thereafter.
The OCIE also highlights the importance of engaged senior management. Top leadership at firms with the strongest controls generally vets and approves cybersecurity policies and procedures.
Review Your Program
The SEC views cybersecurity as one of the biggest compliance risks for financial services firms. So you can expect its staff to continue scrutinizing your cybersecurity procedures and controls and to test whether they’re being implemented and followed. To ensure that your firm remains in compliance, familiarize yourself with SEC and FINRA guidance and consider incorporating the best practices listed above.