During the course of recent examinations conducted by the Securities and Exchange Commission (the “Commission” or the “SEC”), the agency noted an increase in cybersecurity preparedness among broker-dealers, investment advisers, and investment companies. However, the Commissions’ Office of Compliance Inspections and Examinations (“OCIE”)—which was responsible for conducting the examinations—identified some areas where compliance and oversight could be improved. The issues identified by the OCIE largely centered around existing policies and procedures related to cybersecurity, as most of the 75 firms examined, had a compliance manual that addressed cybersecurity.
At the conclusion of the examinations, the OCIE published a risk alert related to cybersecurity in an effort to summarize the observations of SEC staff during those examinations and to provide guidance that can be used to improve compliance and oversight. The OCIE observed the following issues: (1) Policies and procedures were too general and vague; (2) There was a lack of adherence to or enforcement of policies and procedures; and (3) system maintenance was inadequate.
Based on examinations of firms that had implemented robust controls, the OCIE provided the following recommendations, among others to firms as a whole:
- Security solutions should be reviewed pursuant to specific instructions contained in the policies and procedures.
- Policies and procedures should contain specific information regarding appropriate steps to take if confidential information is stolen, unintentionally disclosed, misdirected, or lost.
- Vulnerability scans of key IT infrastructure should be conducted to assist in identifying weaknesses in a firm’s core systems.
- All employees should be required to attend information security training from the time they are onboarded with the firm and on a periodic basis thereafter; the requirement should be documented in the firm’s policies and procedures.
- Senior management should be involved in vetting and approving the policies and procedures.
Click here to access the risk alert released by the OCIE with the goal of aiding firms in improving their cybersecurity programs. If your firm needs a Cybersecurity Policy or if your current policy needs to be revised or more narrowly tailored, please contact us for assistance.
About Red Oak Compliance Solutions
Red Oak Compliance Solutions is the global advertising review software of choice in the financial services industry. It is a comprehensive suite of SEC 17A-4 compliant features that are 100% books and records compliant and provides clients with 35% faster approvals and 70% fewer touches or better. We also offer Smart Review(SM), which solves for the storage and maintenance of disclosures, helping firms reduce risk, decrease review times, and increase the speed of distribution of marketing materials. Smart Registration(SM) automates the licensing and registration management process to help reduce regulatory risk and time spent on manual processes. Overall, Red Oak allows firms to minimize risk, reduce costs, and increase compliance review process effectiveness and efficiencies.