On August 7th, 2017, the Office of Compliance Inspections and Examinations (“OCIE”) released its observations from its Cybersecurity 2 Initiative. The staff examined 75 firms consisting of broker-dealers, investment advisers, and investment companies (“funds”) in order to assess industry practices and legal and compliance issues associated with cybersecurity preparedness.
•The staff observed increased preparedness since its 2014 Initiative
•There is an overall improvement in firms’ awareness of cyber-related risks and implementation of cybersecurity practices
•Nearly all firms’ that were examined maintained written policies and procedures related to cybersecurity
•The vast majority of advisers and funds conducted periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences of a cyber incident
•Almost half of the advisers and funds conducted penetration tests and vulnerability scans on systems that the firms considered to be critical
•All firms utilized some form of system, utility, or tool to prevent, detect, and monitor data loss as it relates to personally identifiable information
•Nearly all advisers and funds had a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities
The Not So Good
•A majority of the firms’ information protection policies and procedures appeared to have issues
•Firms did not appear to adhere to reinforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices
•The staff also observed Regulation S-P-related issues among firms that did not appear to adequately conduct system maintenance, such as the installation of software patches to address security vulnerabilities and other operational safeguards to protect customer records and information
Cybersecurity remains one of the top compliance risks for financial firms. As noted in OCIE’s 2017 priorities, OCIE will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms.