During the course of recent examinations conducted by the Securities and Exchange Commission (the “Commission” or the “SEC”), the agency noted an increase in cybersecurity preparedness among broker-dealers, investment advisers, and investment companies. However, the Commissions’ Office of Compliance Inspections and Examinations (“OCIE”)—which was responsible for conducting the examinations—identified some areas where compliance and oversight could be improved. The issues identified by the OCIE largely centered around existing policies and procedures related to cybersecurity, as most of the 75 firms examined, had a compliance manual that addressed cybersecurity.
At the conclusion of the examinations, the OCIE published a risk alert related to cybersecurity in an effort to summarize the observations of SEC staff during those examinations and to provide guidance that can be used to improve compliance and oversight. The OCIE observed the following issues: (1) Policies and procedures were too general and vague; (2) There was a lack of adherence to or enforcement of policies and procedures; and (3) system maintenance was inadequate.
Based on examinations of firms that had implemented robust controls, the OCIE provided the following recommendations, among others to firms as a whole:
- Security solutions should be reviewed pursuant to specific instructions contained in the policies and procedures.
- Policies and procedures should contain specific information regarding appropriate steps to take if confidential information is stolen, unintentionally disclosed, misdirected, or lost.
- Vulnerability scans of key IT infrastructure should be conducted to assist in identifying weaknesses in a firm’s core systems.
- All employees should be required to attend information security training from the time they are onboarded with the firm and on a periodic basis thereafter; the requirement should be documented in the firm’s policies and procedures.
- Senior management should be involved in vetting and approving the policies and procedures.
Click here to access the risk alert released by the OCIE with the goal of aiding firms in improving their cybersecurity programs. If your firm needs a Cybersecurity Policy or if your current policy needs to be revised or more narrowly tailored, please contact us for assistance.