The August 7, 2017 cybersecurity Risk Alert by the Securities and Exchange Committee ("SEC") Office of Compliance Inspections and Examinations ("OCIE") detailed the OCIE's findings from its Cybersecurity 2 Initiative and its examination of 75 financial firms, including broker-dealers, investment advisers, and investment companies. The goal of the examination was to assess industry practices and legal and compliance issues associated with cybersecurity preparedness. The examinations focused on the firms' written policies and procedures regarding cybersecurity with particular attention to governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. While the OCIE staff observed an increase in cybersecurity preparedness from its prior 2014 Cybersecurity 1 Initiative, they did note certain areas where compliance and oversight could be improved and specifically identified several elements that the OCIE considers to be robust cybersecurity controls.
The OCIE recommendations appear to suggest some, but not all, of the Center for Internet Security Top 20 Cybersecurity controls. For example, OCIE suggests that firms maintain a complete inventory of data and information, along with classifications of the risks, vulnerabilities, data, business consequences, and information regarding each service provider and vendor. Firms should also have detailed cybersecurity-related instructions that include policies and procedures on penetration testing, security monitoring, system auditing, access rights, and reporting. Prescriptive schedules and processes for testing data integrity and vulnerabilities should also be maintained including vulnerability scans of core IT infrastructure and patch management processes that provide for beta testing of patches and analyses of the reasons for, risks of, and methods of applying such patches. The OCIE also recommended implementing established and enforced controls to access data and systems, mandating information security training for employees both at the time of on-boarding and periodically thereafter, and ensuring that senior management is vetting and approving of all cybersecurity policies and procedures.
The OCIE's Risk Alert reaffirms the SEC's position that cybersecurity is one of the most significant risks for the financial services industry and that firms must ensure that their policies and procedures adequately address this risk. In this regard, the OCIE notes that firms "may wish to consider" these controls in the implementation of their cybersecurity-related policies and procedures. Accordingly, firms should use these elements as a guide for evaluating the adequacy of their current compliance programs and implement any elements as may be applicable to their business. In addition to these recommended elements from the OCIE, firms must also ensure that their compliance programs comport with developing state laws on cybersecurity including New York's cybersecurity regulations that became effective on March 1, 2017 and Colorado's cybersecurity rules effective July 15, 2017. Additionally, it would be wise to review and implement the entirety of the CIS Top 20 Controls and otherwise kept on top of directives emerging from NIST and other like organizations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
