- within Tax topic(s)
- with readers working within the Advertising & Public Relations industries
On August 7, 2017, the Securities and Exchange Commission (SEC) released its latest cybersecurity risk alert, detailing findings from the examination of 75 broker-dealers, investment advisers and investment companies carried out by its Office of Compliance Inspections and Examinations (OCIE) pursuant to its 2015 cybersecurity examination initiative. In contrast with the previous round of examinations, the Cybersecurity 2 Initiative focused more on validating and testing cybersecurity procedures and controls, with the alert highlighting improvements, deficiencies and best practices for registered firms.
Although OCIE noted improvements across the board (with all or "nearly all" broker-dealers leading advisers and investment companies in a number of areas), it also identified a number of deficiencies.
Written Policies and Procedures
Firms generally scored high
marks on maintaining written policies and procedures addressing
cybersecurity, including Regulation S-P, Regulation S-ID, business
continuity planning, the cybersecurity roles and responsibilities
of their employees, and their response procedures to access
incidents and intrusions that could cause service disruptions or
lead to data breaches.
OCIE determined that some
policies and procedures were not reasonably tailored, offering only
"general guidance" and "limited examples of
safeguards" or because they were "narrowly scoped"
or "vague," or were perceived as providing
"contradictory or confusing instructions" that employees
might find difficult to follow.
Some firms also did not follow
their policies and procedures, conducting reviews less frequently
than prescribed or failing to ensure that all employees completed
their required cybersecurity awareness training. And other policies
and procedures were stale. For example, OCIE reported that
"less than two thirds" of advisers and funds appeared to
maintain their data breach incident response plans.
Risk Assessments
Nearly all" broker-dealers
and the "vast majority" of advisers and investment
companies conducted periodic risk assessments of their information
systems.
"Almost all firms"
conducted initial risk assessments of third-party service providers
either directly or through various reports or certifications at the
outset, and "over half of the firms" updated these
assessments at least annually.
Penetration Testing and Vulnerability Scans
"Nearly all"
broker-dealers and "almost half" of advisers and
investment companies conducted penetration tests and vulnerability
scans on "critical" systems.
A "number" of firms
failed to fully remediate certain risks identified through their
penetration tests and vulnerability scans.
Data Loss Prevention
All broker-dealers and
"nearly all" advisers and investment companies instituted
procedures to maintain their information systems.
A "few" firms failed
to install system patches, including security updates, while others
used outdated operating systems that no longer receive security
patches.
Access Controls
All advisers and investment
companies maintained written policies and procedures to verify the
identity of a customer requesting a funds transfer.
Some broker-dealers failed to
memorialize customer verification procedures for funds transfers,
relying instead on informal practices for confirming a
customer's identity prior to honoring transfer requests. As
scams involving fraudulent wire transfers proliferate, formal
procedures and redundant safeguards to protect against unauthorized
requests are key.
Best Practices. OCIE also provided a noncomprehensive list of best practices identified during its examinations, suggesting that firms consider implementing these measures to bolster their cybersecurity programs. In addition to encouraging firms to undertake the compliance efforts discussed above, OCIE recommended that firms consider steps such as:
- Maintaining an inventory of their information assets and associated vendors, as applicable, classified by risks and vulnerabilities. This recommendation appears to go hand in hand with a firm's ability to conduct its periodic risk assessments.
- Tracking requests to access information systems, including policies and procedures for modifying access rights when hiring, terminating or changing responsibilities of employees. Although the risk alert did not specifically reference third-party service providers here, this recommendation likely would apply to them as well.
- Requiring and enforcing restrictions and controls for mobile devices that access information systems, including password protection and encryption. This recommendation acknowledges evolving business practices, the ubiquity of mobile devices and the necessity of remote access.
Because cybersecurity remains one of the SEC's top priorities, registered firms should, among other things, measure themselves against these improvements, deficiencies and best practices to ensure they are keeping up with regulatory expectations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
