FYI: OCIE Publishes Observations from More Cybersecurity Exams

FYI: OCIE has published a Risk Alert summarizing observations from its second cybersecurity initiative, which looked at cybersecurity preparedness at 75 more SEC-registered broker-dealers and investment advisers/funds. This second initiative built on OCIE’s first cybersecurity initiative conducted in 2014-2015, but included more validation and testing of firm controls and procedures.
In general, OCIE observed an increase in cybersecurity preparedness since 2014, although continued weaknesses were cited in various areas, including:
• policies and procedures not being reasonably tailored to the firm;
• policies and procedures not being enforced or not reflecting actual practice;
• software security patches not being installed; and
• lack of full and timely remediation following high-risk findings from scans or testing.
In a “must-read” section for firms looking to improve their cybersecurity programs, the Risk Alert listed a number of cyber program elements that OCIE observed at firms believed to have implemented “robust” controls. Those included:
• maintaining an inventory of data, information and vendors;
• maintaining detailed cybersecurity-related instructions, such as penetration tests, system auditing, access controls and reporting;
• maintaining prescriptive schedules and processes for testing data integrity and vulnerabilities;
• establishing and enforcing access controls, including those for employees as well as third-party vendors;
• mandatory employee training; and
• engaged senior management.
The full Alert with details can be accessed here:
* * *