SEC Watch: “Observations” from SEC’s Cybersecurity 2 Initiative
Last week, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its “Observations from Cybersecurity Examinations” conducted pursuant to OCIE’s “Cybersecurity 2 Initiative.” A copy of the summary is available here. This is a follow-on to an earlier series of examinations (the “Cybersecurity 1 Initiative”) conducted in 2014.
OCIE examined the cybersecurity practices of 75 SEC-regulated firms—including broker-dealers, investment advisers, and funds—to “assess industry practices and legal compliance issues associated with cybersecurity preparedness.” Overall, OCIE observed “increased cybersecurity preparedness” since 2014.
Generally, OCIE found that a substantial number of the entities it evaluated were conducting periodic cybersecurity risk assessments and penetration tests, regular system maintenance, and were using some form of tool or utility to monitor potential data loss on an ongoing basis. In addition, OCIE found that all broker-dealers and a majority of advisers and funds had permanent staff in place responsible for cybersecurity issues.
OCIE, however, identified several areas where it believed that cybersecurity could be improved. Specifically, OCIE found that most firms did not have cybersecurity policies and procedures in place that were specifically tailored to various situations their firms may encounter, as opposed to general maxims about prioritizing cybersecurity.
In addition, OCIE found that many firms did not appear to adhere to—or enforce—their policies on an ongoing basis, or that the policies did not reflect the firms’ actual practices. In particular, many firms required annual reviews to ensure their policies were working properly, but OCIE found that these reviews were often conducted less frequently. Similarly, many firms required regular employee trainings that were not taking place, or were using outdated security tools.
OCIE also identified several practices of firms that it believed had implemented particularly robust cybersecurity controls that provide good examples for other firms to follow. These practices include maintaining complete data inventories and vendor files; maintaining detailed cybersecurity-related instructions for staff; and following regular schedules for prescriptive cybersecurity maintenance. In addition, OCIE recommended implementing mandatory employee training and the engagement of senior management in cybersecurity issues.
While the OCIE report is not an official policy statement of SEC, it serves as a valuable resource for any SEC-regulated firm looking to improve its cybersecurity compliance or reduce its risk of facing an SEC enforcement action in the future.