The SEC Office of Compliance Inspections and Examinations ("OCIE") examined 75 broker-dealers, investment advisers and investment companies as part of its Cybersecurity 2 Initiative to assess industry practices concerning cybersecurity preparedness. OCIE National Examination Program staff reported an overall improvement in awareness of cyber-related risks and the implementation of certain cybersecurity practices since the OCIE's Cybersecurity 1 Initiative.

According to the OCIE Risk Alert, the Cybersecurity 2 Initiative examinations focused on written policies and procedures, and included more testing of controls. Specifically, it addressed:

  1. governance and risk assessment;
  2. access rights and controls;
  3. data loss prevention;
  4. vendor management;
  5. training; and
  6. incident response.

Notably, the OCIE found that all broker-dealers, all funds, and nearly all advisers examined in the Cybersecurity 2 Initiative maintained written cybersecurity policies and procedures around the protection of customer/shareholder records. These findings contrasted with those of the Cybersecurity 1 examinations. The OCIE also found firms that were not "adhering to or enforcing" policies and procedures, and firms where guidance for employees was too general. The OCIE report included recommendations for improving controls in their respective cyber programs.

In a related white paper on cyber risk, the Bank for International Settlements Financial Stability Institute evaluated the regulatory and supervisory initiatives in a number of leading jurisdictions, including Hong Kong SAR, Singapore, the United Kingdom and the United States. The report reviewed supervisory approaches to assessing the cyber-risk vulnerability and resilience of banks. The paper also identified a trend toward "threat-informed" testing frameworks, which use threat intelligence to design simulated cyber attacks when testing the cybersecurity of an entity.

Commentary/ Joseph V. Moreno

Broker-dealers and investment advisers should use the OCIE Report as a baseline against which to measure their own cybersecurity policies. To the extent that the Report notes that "all" firms or a "vast" number of firms have instituted a particular policy, any broker-dealer or adviser not having instituted the particular policy should either do so very promptly or have a good reason as to why the particular policy is not appropriate for the firm. Similarly all firms should be aware of those areas where OCIE pointed out common deficiencies, for example, insufficiently detailed guidance in compliance procedures, reviews that were conducted less frequently than required under a firm's compliance procedures, inconsistent instructions in employee manuals, and failure to provide employees with (supposedly) required cybersecurity training. As the regulatory standards for cybersecurity compliance procedures are steadily ratcheting upwards, firms that fail to document and implement "best practice" procedures are putting themselves at substantial civil and regulatory risk.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.