While advisors, broker-dealers and mutual fund firms have stepped up their cybersecurity preparedness, most notably in crafting written policies and procedures, more steps are needed, according to the Securities and Exchange Commission’s exam division.
The agency’s Office of Compliance Inspections and Examinations released Monday a Risk Alert detailing results of its Cybersecurity 2 initiative in which the agency examined 75 firms registered with the SEC to assess how the firms are implementing cybersecurity measures.
The Cybersecurity 2 Initiative built upon prior cybersecurity exams, particularly OCIE’s 2014 Cybersecurity 1 Initiative, and involved more validation and testing of procedures and controls surrounding cybersecurity preparedness than was previously performed.
As noted in OCIE’s 2017 priorities, the alert points out that examiners “will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms.”
The examinations focused on the firms’ written policies and procedures regarding cybersecurity, including validating and testing that such policies and procedures were implemented and followed.
SEC staffers also sought to better understand how firms managed their cybersecurity preparedness by focusing on the following areas: governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.
SEC examiners noted an “overall improvement in firms’ awareness of cyber-related risks and the implementation of certain cybersecurity practices” since the Cybersecurity 1 Initiative.
All broker-dealers, all funds and nearly all advisors examined maintained cybersecurity-related written policies and procedures addressing the protection of customer/shareholder records and information, the alert said.
However, while written policies and procedures were maintained addressing cyber-related protection of customer/shareholder records and information, “a majority of the firms’ information protection policies and procedures appeared to have issues,” the alert states.
For instance, policies and procedures were not “reasonably tailored because they provided employees with only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague, as they did not articulate procedures for implementing the policies.”
Also, firms “did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices,” the alert said.
The alert pointed the following examples of “robust controls” that firms may want to consider as they continue to implement cybersecurity-related policies and procedures:
- Maintenance of an inventory of data, information and vendors. Policies and procedures included a complete inventory of data and information, along with classifications of the risks.
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities.
- Established and enforced controls to access data and systems.
- Mandatory employee training.
- Engaged senior management. The policies and procedures were vetted and approved by senior management.
— Related on ThinkAdvisor: