The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections (“OCIE”) has issued a Risk Alert that provides observations on cybersecurity arising from OCIE’s examinations conducted pursuant to the Cybersecurity Examination Initiative of 75 registered broker-dealers, investment advisers and investment companies. The initiative was initially focused on making a preliminary assessment of industry practices and legal and compliance issues related to cybersecurity. However, the current initiative focused more on the valuation and testing of procedures and controls surrounding cybersecurity preparedness. To that end, the examinations focused on firms’ written policies and procedures regarding cybersecurity, including the validating and testing of such policies and procedures to confirm that they were implemented and followed.
In general, the SEC examination staff (“staff”) observed that there was increased cybersecurity preparedness since their 2014 Cybersecurity 1 Initiative. However, the staff also observed that there were areas where compliance and oversight could be improved. As a side note, it should be noted that broker-dealers generally fared better than registered investment advisers with respect to the SEC’s observations, in part due to the on-going oversight and exam program of the Financial Industry Regulatory Authority (“FINRA”), which subjects FINRA members to a more rigorous exam cycle.
General Observations of the SEC
A number of the general observations of the SEC that resulted from the Cybersecurity Examination Initiative included:
- Nearly all broker-dealers, and the vast majority of advisers and funds, conducted periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences of a cyber incident.
- Nearly all broker-dealers, and almost half of the advisers and funds, conducted penetration tests and vulnerability scans on systems that the firms considered to be critical, although a number of firms did not appear to fully remediate some of the high-risk observations that they discovered from these tests and scans during the review period.
- All broker-dealers, and nearly all advisers and funds, had a process in place to ensure regular system maintenance, including the installation of software patches to address security vulnerabilities.
- Information protection programs at the firms typically included relevant cyber-related topics. These topics included: (i) With respect to policies and procedures, nearly all firms’ policies and procedures addressed cyber-related business continuity planning and Regulation S-P; and (ii) as to response plans. Nearly all of the firms had plans for addressing access incidents. In addition, the vast majority of firms had plans for denial of service incidents and unauthorized intrusions..
- Almost all firms either conducted vendor risk assessments, or required that vendors provide the firms with risk management and performance reports (i.e., internal and/or external audit reports), and security reviews or certification reports. While vendor risk assessments are typically conducted at the outset of a relationship, over half of the firms also required updating such risk assessments on at least an annual basis.
Cybersecurity Issues Noted
The staff observed one or more issues in the vast majority of the examinations performed pursuant to the Cybersecurity Examination Initiative. A number of those issues are noted below, and the SEC noted that it believes firms would benefit from considering them, in order to assess and improve their policies, procedures, and practices related to cybersecurity.
While, it was noted that all broker-dealers and funds, and nearly all investment advisers, maintained written policies and procedures addressing cyber-related protection of customer/shareholder records and information, a majority of the firms’ information protection policies and procedures appeared to have issues. Examples of those issues included:
- Policies and procedures were not reasonably tailored in that they provided employees with only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague, as they did not articulate procedures for implementing the policies.
- Firms did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices, such as when the policies:
- Required annual customer protection reviews; however, in practice, they were conducted less frequently.
- Required ongoing reviews to determine whether supplemental security protocols were appropriate; however, such reviews were performed only annually, or not at all.
- Created contradictory or confusing instructions for employees, such as policies regarding remote customer access that appeared to be inconsistent with those for investor fund transfers, making it unclear to employees whether certain activity was permissible.
- Required all employees to complete cybersecurity awareness training; however, firms did not appear to ensure this occurred and take action concerning employees who did not complete the required training.
- The staff also observed Regulation S-P-related issues among firms that did not appear to adequately conduct system maintenance, such as the installation of software patches to address security vulnerabilities and other operational safeguards to protect customer records and information. Examples included: (i) Using stale or outdated operating systems that were no longer supported by security patches; and (ii) Lack of remediation efforts in a timely manner in those situations where there were high-risk findings from penetration tests or vulnerability.
Investment Advisers and Cybersecurity
It should be noted that advisory firms appear to have more ground to make up with respect to cybersecurity in at least three areas. First, not all investment advisers had written procedures, and those that did had deficiencies. Second, less than half of the advisers conducted penetration tests and vulnerability scans on systems that the firms considered to be critical, which is becoming the norm with respect to broker-dealers. Finally, less than one third of the advisory firms had response plans addressing access incidents and plans for notifying customers of material events.
The primary take-a-way from the SEC’s Risk Alert on cybersecurity is that the SEC remains focused on cybersecurity, and that in their view, it is one of the top compliance risks for financial firms. With that said, it is clear that both broker-dealers and advisers need to aggressively focus on both the on-going development of their cybersecurity procedures, and also their implementation of same. We will discuss the elements of what the SEC believes to be robust cybersecurity policies and procedures at a later date.