SEC Risk Alert Shows Gaps in Firm Cybersecurity Programs

Privacy- croppedThe SEC’s Office of Compliance Examinations and Inspections (OCIE) has released a Risk Alert with a brief summary of observations from its second round of cybersecurity exam sweeps, where it surveyed 75 broker dealers, investment advisors, and investment companies.  The Cybersecurity 2 Initiative was a more thorough follow-up to their 2014 Cybersecurity 1 Initiative.  The staff focused on (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.

Findings:  Gaps

While the results showed improvement from 2014, they found that some fundamental items are missing from many programs.  Notably, the things that they found lacking are items which are often missing from generic compliance programs. ,.  These include:

  • Policies and Procedures are not tailored to the firm’s business model
  • Enforcement of Policies and Procedures,
    • Failure to follow review schedules
    • Failure to remain current with “ongoing” tasks
    • Contradictions or inconsistencies between cybersecurity and other policies
    • Failure to conduct required training
  • Reg S-P issues related to system maintenance:
    • Failure to maintain systems and install software patches
    • Outdated, unsupported systems
    • Lack of remediation for gaps found in testing

Findings:  Controls

OCIE listed several findings common to strong programs. Some of these things are general characteristics of good compliance programs, and not just important cybersecurity traits.  These include:

  • Inventories of data, information, and vendors, including risk assessments and due diligence
  • Detailed Instructions, including:
    • Penetration testing and evaluation of effectiveness
    • Monitoring and audit
    • Access rights management
    • Specific incident-management, including reporting and follow-up
  • IT test scheduling and controls, including
    • Vulnerability scans
    • Patch management and maintenance policies
  • Access Controls
    • Acceptable use policies
    • Mobile device security
    • Third-party vendor management
    • Terminated-employee procedures
  • Mandatory Training
  • Direct involvement by senior management

OCIE’s full summary is here:

This is OCIE’s second sweep in recent memory, and we expect this topic to receive even more attention as time passes.  Mitigating the risk of a breach, whether by cyber criminals, or careless employees is critical to keeping your firm and your clients safe. Oyster Consulting’s cybersecurity services include developing and implementing risk assessments, policies and procedures, response and business continuity plans, among others.  Oyster has the background and perspective to help you build the cybersecurity program that is right for your firm. We are the right partner to help you bridge the gap where business and technology meet, ensuring that you have the resources to understand the threats and the ability to protect yourself.

For more information about how Oyster can assist your firm with its cybersecurity and compliance programs, complete our contact form or call us at (804) 965-5400 and one of our Relationship Managers will be happy to help you.