August 23, 2017- Cyber Security Alert
On August 7, 2017, The U.S. Securities Exchange Commission issued observations based on OCIE’s Cybersecurity 2 Initiative that examined 75 different registered entities, including broker-dealers investment advisers, and others. The SEC examination focused on firms written policies and procedures regarding cybersecurity. The Commission sought to understand firm’s preparedness in: (1) governance and risk assessment, (2) access rights and controls, (3) data loss protection, (4) vender management, (5) training, and (6) incident respond.
The Commission found an overall improvement in firm awareness of cybersecurity risks and implementation of procedures to address such risks, as follows:
- Firms conducted periodic risk assessments of critical cybersecurity threats vulnerability and potential business consequences of a cyber incident;
- Firms conducted penetration tests and vulnerability scans;
- Firms realized some form of utility to prevent, detect and monitor loss of personally identifiable information;
- Firms had in place a process for insuring regular system maintenance, including the installation of software patches;
- Firm’s provided information protection programs that included cyber-related topics;
- Firms maintained cybersecurity organization charts; and
- Firms conducted vendor risk assessments or required that vendors provide the firms with risk management and reports.
However, the Commission observed a number of issues firms should address in order to assess and improve their policies, procedures and practices such as:
- Firms policies and procedures were not tailored to provide employer’s appropriate guidance. Most cyber policies/protocol procedures were narrowly drafted in scope, or vague, and did not articulate procedures for implementing such policies; and
- Firms did not appear to adhere to or enforce polices and procedure, or the policies and procedures did not reflect the firm’s actual practices. – – – The Commission observed potential Regulation S-P related issues as a result of firms not adequately conducting system maintenance and other operation safeguard to protect customer records and information. – – – The Commission noted six areas that Firms should consider with their cybersecurity policies and procedures:
- Maintenance of an inventory of data, and vendors that classify risks, vulnerabilities, data business consequences, and information regarding each service provider and vendor;
- Detailed cybersecurity-related instructions such as penetration tests, and any other tests.;
- Maintenance of prescriptive schedules and processes for testing date integrity and vulnerabilities;
- Establish and enforced controls to access data and systems;
- Mandatory employee training; and
- Engaged Senior Management.
Firms should be aware of the information provided by the SEC on this topic when developing cyber security policies and procedures. Creating effective policies and procedures will alleviate future issues with the SEC and FINRA.
Should you have any questions about this Alert or other compliance or regulatory matters, you may contact the author.
DOWNLOAD Cyber Security Alert – August 2017