On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a cybersecurity Risk Alert summarizing its observations from its second cybersecurity survey of financial services firms. Overall, OCIE observed increased cybersecurity preparedness since its first 2014 “Cybersecurity 1” Initiative, but also the SEC noted a number of areas where compliance and oversight merit attention. Perhaps the most general observation from the “Cybersecurity 2” risk alert is that, while the OCIE noted that most firms now have written policies and procedures, the message was clear that simply having a generic policy is not adequate. Firms must instead have policies that are adapted to their actual operations as well as procedures that demonstrate the implementation of these policies and documented results of compliance with those procedures.
This Risk Alert summarized the OCIE’s general observations of the firms’ cybersecurity-related policies and procedures, and then highlighted common issues and best practices. The survey following an initial survey in 2014, and involved surveying an additional 75 broker-dealers, investment advisers, and investment companies to assess their vulnerability to cyber-attacks.
Overall Observations on Common Cybersecurity Practices
Some key observations from the Cybersecurity 2 Initiative included:
- Nearly pervasive presence of cybersecurity-related written policies and procedures addressing the protection of customer/shareholder records and information.
- Consistent periodic risk assessments of critical systems.
- Nearly all broker-dealers and almost half of the advisers and funds conducted penetration tests and vulnerability scans.
- All surveyed firms utilized some data loss prevention tool.
- Improved processes for ensuring regular system maintenance, including the installation of software patches.
- Information protection programs at the firms typically included relevant cyber-related topics, such as response plans for addressing access incidents and policies and procedures addressing cyber-related business continuity planning and Regulation S-P.
- Most firms specifically identified employees to be in charge of cyber-related responsibilities and had cybersecurity organizational charts.
- The vast majority of firms obtained authority from customers / shareholders prior to transferring funds to third party accounts.
- Almost all firms conducted vendor risk assessments.
OCIE focused its observations on firms’ adaptation, validation and testing of procedures and controls surrounding cybersecurity preparedness. The Risk Alert highlighted common issues among the 75 firms, including:
- A majority of firms’ information protection policies and procedures appeared to have issues, such as not reasonably tailored (i.e. too narrow, vague, etc.) or not properly enforced (i.e. periodic reviews not completed as often as required, contradictory or confusing instructions / policies, etc.).
- Observed regulation S-P-related issues among firms that did not appear to adequately conduct system maintenance. For instance:
- stale risk assessments,
- use of outdated operating systems no longer supported by security patches, and
- untimely remediation of high-risk findings from penetration tests.
Elements of Robust Policies and Procedures
The Risk Alert also included a list of best-practices observed by firms with robust policies and procedures. Specifically, OCIE encouraged all firms to:
- Maintain an inventory of data, information, and vendors.
- Create detailed cybersecurity-related instructions that implement policies; for such things as penetration tests, security monitoring and system auditing, access rights, and reporting exposed sensitive information.
- Maintain prescriptive schedules and processes for testing data integrity and vulnerabilities, including vulnerability scans and patch management policies.
- Establish and enforced controls to access data and systems. For instance, “acceptable use” policies, required and enforced restrictions and controls for mobile devices, third-party vendor management, and employee termination protocol.
- Mandatory employee training.
- Engage senior management.
A Note on Timing
Some of OCIE’s findings may be dated. The examinations were conducted between September 2015 and June 2016, and generally covered the review period October 1, 2014 through September 30, 2015. Additionally, OCIE previously provided some of its findings in May 2017 following the WannaCry ransomware cyberattack. (For more background, see SEC Issues “WannaCry” Ransomware Alert to Broker-Dealers and Investment Companies (May 19, 2017)).
The Cybersecurity 2 OCIE Risk Alert was surely intended to demonstrate the SEC’s continuing emphasis on this area. Exams now regularly include cybersecurity inquiries. And enforcement actions underscore that cybersecurity remains an SEC priority, such as the recent Galen Marsh action that focuses on “insider threats,” and the need to ensure robust access controls.
SEC-regulated institutions should ensure that they have developed a robust, documented cybersecurity program. Merely having a written policy or buying a new piece of technology will not by itself pass muster. It is essential to have the people, resources, and procedures in place to demonstrate the cybersecurity policy is implemented, systems are tested, and the gaps are closed. Conducting testing, tracking findings, and documenting the response to those findings can create compelling compliance documentation.
Moreover, the cybersecurity program must continue to protect confidential information when it is being processed by third party service providers. Regulated institutions must ensure that their service providers are contractually obligated to maintain security and can provide evidence of that commitment. Contracts with accountants, administrators, attorneys, auditors, brokers, consultants, and others should be examined to ensure appropriate terms are present.
The SEC also mentioned what may be the key for any successful cybersecurity program — engaged senior management. Regular, documented reporting to senior management, and documented direction from senior management is a crucial element in demonstrating an institution’s commitment to mitigating cybersecurity risks.