SEC’s Observations on the Elements of Robust Cybersecurity Policies and Procedures

The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections (“OCIE”) issued a Risk Alert that provides its observations on the elements of robust cybersecurity policies and procedures.  Those observations resulted from OCIE’s examinations conducted pursuant to the Cybersecurity Examination and the elements noted by OCIE staff (“staff”) during the review of the respective policies and procedures, are those that the staff believes had resulted in the implementation of robust controls.

While the elements noted are not intended to be a comprehensive list of what it takes to have robust cybersecurity policies and procedures, it does reflect a base line for the 2017 compliance year.  Therefore, firms may wish to consider the elements discussed below, as while some are not necessarily new, they do provide a road-map for future compliance, and are useful in the preparation, evolution and implementation of cybersecurity policies and procedures.

Elements Discussed

Maintenance of an inventory of data, information, and vendors. Policies and procedures included a complete inventory of data and information, along with classifications of the risks, vulnerabilities, data, business consequences, and information regarding each service provider and vendor, if applicable.

Detailed cybersecurity-related instructions. Examples included:

  • Penetration tests – policies and procedures included specific information to review the effectiveness of security solutions.
  • Security monitoring and system auditing – policies and procedures regarding the firm’s information security framework included details related to the appropriate testing methodologies.
  • Access rights – requests for access were tracked, and policies and procedures specifically addressed modification of access rights, such as for employee on-boarding, changing positions or responsibilities, or terminating employment.
  • Reporting – policies and procedures specified actions to undertake, including who to contact, if sensitive information was lost, stolen, or unintentionally disclosed/misdirected.

Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities. Examples included:

  • Vulnerability scans of core IT infrastructure were required to aid in identifying potential weaknesses in a firm’s key systems, with prioritized action items for any concerns identified.
  • Patch management policies that included, among other things, the beta testing of a patch with a small number of users and servers before deploying it across the firm, an analysis of the problem the patch was designed to fix, the potential risk in applying the patch, and the method to use in applying the patch.

Established and enforced controls to access data and systems. For example, the firms:

  • Implemented detailed “acceptable use” policies that specified employees’ obligations when using the firm’s networks and equipment.
  • Required and enforced restrictions and controls for mobile devices that connected to the firms’ systems, such as passwords and software that encrypted communications.
  • Required third-party vendors to periodically provide logs of their activity on the firms’ networks.
  • Required immediate termination of access for terminated employees and very prompt (typically same day) termination of access for employees that left voluntarily.

Mandatory employee training. Information security training was mandatory for all employees at on-boarding and periodically thereafter, and firms instituted policies and procedures to ensure that employees completed the mandatory training.

Engaged senior management. The policies and procedures were vetted and approved by senior management.


Cybersecurity is one of the top 3 risks that broker-dealers and investment advisers currently face.  Firms should incorporate the elements discussed above into their respective procedures, as they are a clear base line that financial firms will be judged against in the event of a cybersecurity breach by a firm.   As such, it is clear that both broker-dealers and advisers need to aggressively focus on both the on-going development of their cybersecurity procedures, and also their implementation of same.