While advisors, broker-dealers and mutual fund firms have stepped up their cybersecurity preparedness, most notably in crafting written policies and procedures, more steps are needed, according to the Securities and Exchange Commission’s exam division.
The agency’s Office of Compliance Inspections and Examinations released Monday a Risk Alert detailing results of its Cybersecurity 2 initiative in which the agency examined 75 firms registered with the SEC to assess how the firms are implementing cybersecurity measures.
The Cybersecurity 2 Initiative built upon prior cybersecurity exams, particularly OCIE’s 2014 Cybersecurity 1 Initiative, and involved more validation and testing of procedures and controls surrounding cybersecurity preparedness than was previously performed.
As noted in OCIE’s 2017 priorities, the alert points out that examiners “will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms.”
The examinations focused on the firms’ written policies and procedures regarding cybersecurity, including validating and testing that such policies and procedures were implemented and followed.
SEC staffers also sought to better understand how firms managed their cybersecurity preparedness by focusing on the following areas: governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.