On Aug. 7, 2017, the Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) released a  risk alert summarizing the results of its second cybersecurity preparedness examination. The examination, which OCIE conducted in 2015 – 2016, covered a one-year period beginning in October 2014 and surveyed 75 regulated broker-dealers, investment advisers and funds. OCIE's report observed that financial firms had increased their cybersecurity preparedness since OCIE's previous cybersecurity examination, the results of which were released in February 2015. However, OCIE also found that there were numerous areas where firms could improve their cybersecurity compliance and oversight.

OCIE's report highlighted various improvements in the industry since the previous examination. Notably, all the examined broker-dealers and funds, and nearly all the examined advisers, maintained written cybersecurity policies and procedures regarding protecting customer/shareholder information and records. Further, the vast majority of examined firms conducted periodic cybersecurity risk assessments. Additionally, all the examined firms had implemented some system or tool to prevent, detect, and monitor data loss pertaining to personally identifiable information. The report also noted that the majority of examined firms engaged in penetration testing and conducted vulnerability scans, obtained or conducted vendor risk assessments, and had a process for ensuring regular system maintenance.

Despite these positive findings, OCIE observed that the "vast majority" of examined firms had one or more cybersecurity deficiencies to address. In particular, OCIE observed that many firms' cybersecurity policies and procedures were "not reasonably tailored" because, for example, "they provided employees with only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague, as they did not articulate procedures for implementing the policies." Further, OCIE observed that firms "did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms' actual practices." OCIE noted, for example, that some firms failed to perform ongoing security reviews and/or ensure that all employees completed cybersecurity awareness training. OCIE also found that some firms lacked procedures needed to address Regulation S-P, which governs the privacy of consumer financial information.

In order to encourage good practices, OCIE's report listed various elements of robust policies and procedures. These elements include:

  • Maintaining a complete inventory of data, information and vendors.
  • Providing detailed instructions and policies concerning penetration tests, security monitoring, system auditing, access rights and reporting.
  • Maintaining prescriptive schedules and processes for testing data integrity and vulnerabilities.
  • Establishing and enforcing controls to access data and systems.
  • Mandating training for all employees.
  • Engaging senior management to vet and approve cybersecurity policies and procedures.

OCIE's report noted that cybersecurity "remains one of the top compliance risks for financial firms" and that OCIE "will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms." With this ongoing focus and the potential trouble areas identified in OCIE's risk alert, covered firms should revisit their policies and procedures to confirm compliance — and consider where improvements could be made.

Additionally, on Sept. 25, the  SEC announced the creation of a Cyber Unit as part of the Enforcement Division's efforts to address cyber-based threats. The Cyber Unit will focus on misconduct such as:

  • Market manipulation schemes involving false information spread through electronic and social media.
  • Hacking to obtain material non-public information.
  • Violations involving distributed ledger technology and initial coin offerings.
  • Intrusions into retail brokerage accounts.
  • Cyber-related threats to trading platforms and other critical market infrastructure.

Robert A. Cohen, formerly of the Market Abuse Unit, was appointed chief of the Cyber Unit. Meanwhile, the regulator also announced the establishment of a retail strategy task force, which will aim to develop "proactive, targeted initiatives" to identify large-scale misconduct impacting retail investors.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.