OCIE Issues Its Observations From Its Cybersecurity 2 Initiative
On August 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued its observations based on recent examinations of broker dealers, RIAs, and RICs made to assist the firms’ cybersecurity preparedness. Industry members will find those observations a useful roadmap of issues likely to be raised by OCIE in future exams of SEC registrants.
OCIE favorably noted that almost all firms periodically conducted risk assessments of critical systems to identify threats, vulnerabilities and potential consequences; most broker dealers and half the advisers and funds conducted penetration tests and vulnerability scans on critical systems, although a number of firms did not fully remediate the issues they discovered; all firms used a system, utility or tool to prevent, detect and monitor data loss relative to personally identifiable information; and most had processes in place for regular system maintenance, including the installation of software patches, as well as cybersecurity organizational charts for their firms and standards related to verifying the identity of their clients seeking to transfer funds.
Nevertheless, OCIE did note areas with room for improvement:
- Policies and procedures were not always reasonably tailored because they were overly vague or general;
- Policies and procedures weren’t always enforced and did not always reflect actual practices;
- Outdated operating systems were sometimes not supported by new security patches; and
- High risk findings from penetration tests and vulnerability tests weren’t always fully remediated in a timely manner.
And finally, OCIE noted “elements of robust policies and procedures” which a registrant may infer are the SEC’s views about best practices:
- Maintenance of an inventory of data, information and vendors;
- Detailed cybersecurity-related instructions (including specific information for penetration tests, security monitoring and auditing, access rights and reporting)
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities;
- Establishment and enforcement of specific controls to access data and systems;
- Mandatory employee training; and
- Engaged senior management.
OCIE’s notes and suggestions can be taken as a word to the wise, and it is likely that it would be reviewing these aspects of a registrant’s operations in future exams.
If you have any questions about OCIE’s cybersecurity observations and how they may affect your business going forward, please contact me at the address below. This information is provided by the Law Office of John P. Ziaukas for educational and informational purposes only and is not intended and should not be construed as legal advice. This information may be considered advertising under applicable California law. Please refer to the Legal Disclaimers link below.