August 7, 2017: The U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) has released results of its Cybersecurity 2 Initiative. In this Initiative, National Examination Program Staff examined 75 firms, including broker-dealers, investment advisers, and investment companies (“funds”) registered with the SEC to assess industry practices and legal and compliance issues associated with cybersecurity preparedness. The OCIE Cybersecurity 2 Initiative examinations involved more validation and testing of procedures and controls attendant to cybersecurity preparedness than was previously performed in OCIE’s 2014 Cybersecurity 1 Initiative.
This round of examinations focused on each registrant’s written cybersecurity policies and procedures, including validating and testing that such policies and procedures were implemented and followed. The Staff focused on the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.
The SEC noted that most registrants examined in the Cybersecurity 2 Initiative had developed and implemented written cybersecurity policy and procedures, though the Staff identified opportunities for improved cybersecurity risk management.
Specific risk management attributes observed by the Staff include the following:
- Nearly half of the advisers and funds examined had conducted a penetration test however several had not initiated remediation of the related findings.
- Nearly all advisers and funds performed cyber risk assessments to augment risk identification initiatives and mitigate consequences of failure.
- All advisers and funds utilized some form of system, utility, or tool to prevent, detect, and monitor data loss as it relates to personally identifiable information.
- Nearly all advisers and funds have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities, however some firms had failed to install updates.
- Information protection programs at the advisers/funds typically included relevant cyber-related topics, such as policies and procedures (e.g., Reg S-P and BCP) and response plans (e.g., addressing access incidents and denial of service scenarios), although less than 66% of the advisers/funds examined had response plans in place to address data breach scenarios.
- Most advisers and funds maintained cybersecurity organizational charts and/or identified and described cybersecurity roles and responsibilities for the firms’ workforce.
- Two/thirds of advisers/funds retained authority to transfer funds on behalf of clients to third party accounts, while all such advisers/funds maintained policies, procedures, and standards related to verifying the authenticity of customer/shareholder fund transfer requests.
- Almost all firms either conducted vendor risk assessments or required that vendors provide risk management and performance reports.
Areas of Deficiency and Vulnerability
Specific risk management deficiencies or vulnerabilities included the following:
- Most cyber risk policy and procedures require improvement:
- Many firm policies and procedures were not reasonably tailored because they provided employees with only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague, as they did not articulate procedures for implementing the policies.
- Firms did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices (e.g., articulated frequency of testing or review was not adhered to, contradicting procedures, and/or incomplete training).
- The staff also observed Regulation S-P issues wherein system maintenance procedures were not followed (e.g., the installation of software patches to address security vulnerabilities and other operational safeguards to protect customer records and information).
Best-in-Breed Policy and Procedures
The Commission observed several elements that were included in the cyber policies and procedures of firms that the Staff believes had implemented robust controls:
- Maintenance of an inventory of data, information, and vendors (analogous to the risk matrix advocated for general compliance risk management).
- Detailed cybersecurity-related instructions, as follows:
- Penetration tests – policies and procedures included specific information to review the effectiveness of security solutions.
- Security monitoring and system auditing.
- Access rights – requests for access were tracked, while policies and procedures specifically addressed modification of access rights, such as for employee onboarding, changing positions or responsibilities, or terminating employment.
- Reporting – policies and procedures specified actions to undertake, including who to contact, if sensitive information was lost, stolen, or unintentionally disclosed/ misdirected.
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities:
- Vulnerability scans of core IT infrastructure.
- Patch management policies that included, among other things, the beta testing of a patch with a small number of users and servers before deploying it across the firm.
- Established and enforced controls to access data and systems:
- Implemented detailed “acceptable use” policies that specified employees’ obligations when using firm networks and equipment.
- Required and enforced restrictions and controls for mobile devices that connected to the firms’ systems, such as passwords and software that encrypted communications.
- Required third-party vendors to periodically provide logs of their activity on the firms’ networks.
- Required immediate termination of access for terminated employees and very prompt (typically same day) termination of access for employees that left voluntarily.
- Mandatory employee training.
- Engaged senior management.
Cybersecurity risk sets continue to challenge advisers and funds (please refer to the Investment Adviser Association’s 2016 Investment Management Compliance Testing Survey wherein 88% of adviser respondents viewed cybersecurity as the “hottest compliance topic for 2016”). It is also noteworthy that, while the SEC has not yet promulgated formal cybersecurity rules, the Division of Enforcement have been aggressively sanctioning and prosecuting advisers for failure to heed regulatory cyber guidance.
August 10, 2017
prepared by Horrigan Resources, Ltd.
Not customized advice. Not legal advice.