On August 7, 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of the US Securities and Exchange Commission (“SEC”) announced the results of its second cybersecurity examination initiative.1 This initiative built on the SEC’s 2014 cybersecurity examination initiative (“Cybersecurity 1 Initiative”) but “involved more validation and testing of procedures and controls surrounding cybersecurity preparedness.”2
Beginning in September 2015 and over roughly a one-year period, OCIE examined 75 regulated entities—broker-dealers (“BDs”), investment advisers (“IAs”) and investment companies (“funds”)—focusing on (1) governance and risk assessment, (2) access rights and controls, (3) data loss prevention, (4) vendor management, (5) training and (6) incident response.
OCIE reported the results of its cybersecurity initiative in a “risk alert,” which offers both observations of industry cybersecurity practices and recommendations for best practices that regulated entities may wish to consider implementing.
This Legal Update discusses what the OCIE Risk Alert reports on the maturation of cybersecurity defenses, notes regarding industry practices and recommends for regulated entities.
Maturation of Cybersecurity Defenses
In the OCIE Risk Alert, OCIE observed that there had been an overall improvement in the awareness of cyber-related risks and implementation of cybersecurity practices at regulated entities since the Cybersecurity 1 Initiative. OCIE noted that all BDs and funds and nearly all IAs maintained written cybersecurity-related policies and procedures for the protection of customer and shareholder information. It also observed that nearly all BDs and many IAs and funds have implemented periodic risk assessments, penetration testing and vulnerability scanning, and almost all regulated entities have implemented data loss prevention tools and regular system software maintenance.
Although most regulated entities also have implemented policies for business continuity and incident/data breach response planning and Regulations S-P and S-ID compliance, a material number of IAs and funds have not yet implemented data breach response plans. Also, most regulated entities have implemented vendor risk assessment/monitoring processes, and many entities require annual or more frequent updates to these assessments after initial diligence has been performed.
Issues Observed with Industry Practices
Despite the maturation noted above, OCIE observed several issues in the examinations that it believes regulated entities would benefit from focusing on.
First, OCIE noted that many cyber-related policies and procedures were not reasonably tailored to the particular entity because they “provided employees with only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague” or provided contradictory or confusing instructions.
Second, regulated entities failed to consistently conduct annual customer protection reviews, ongoing security protocol reviews and employee training, even if required by the regulated entity’s cyber-related policies and procedures.
Third, regulated entities’ Regulation S-P compliance activities were lacking in regular patch management for software systems, replacement of outdated operating systems and remediation of high-risk findings from penetration testing and vulnerability scanning.3
Recommendations for Robust Compliance
OCIE identified six broad elements that it recommends regulated entities consider adopting as part of their compliance programs:
- Maintenance of an inventory of data, information and vendors: A complete inventory of data and information and classification of the related risks and vulnerabilities.
- Detailed policies and procedures for penetration testing, security monitoring, system auditing, access rights and data breach reporting: Specific documentation addressing the scope, methodology, timing and responsible parties for an entity’s cybersecurity activities.
- Maintenance of schedules and processes for activities such as vulnerability scanning and patch management: Defined schedules and prioritization for activities related to testing and risk-assessing patches and identifying system vulnerabilities.
- Effective access controls and access monitoring: Implementation of acceptable use and mobile device policies, review of third-party vendor logs and very prompt termination of former employee systems access.
- Mandatory enterprise-wide information security training: Training covering all employees at on-boarding and periodically thereafter.
- Engagement of senior management in the review and approval of cyber-related policies and procedures.
* * *
The OCIE Risk Alert does not state whether there will be a third, separately structured cybersecurity examination initiative, but OCIE has indicated in its 2017 examination program priorities that it will continue its initiative by examining cybersecurity compliance procedures and controls and their implementation at regulated entities.4
For more information about any of the issues raised in this Legal Update, please contact Amy Ward Pershkow, Matthew Rossi, Jeffrey Taft, Jerome Roche, Adam Kanter or Matthew Bisanz.
1 OCIE, National Exam Program, Risk Alert: Observations from Cybersecurity Examinations (Aug. 7, 2017) [hereinafter OCIE Risk Alert], available at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf. For the SEC’s announcement of the second cybersecurity initiative, see OCIE, National Exam Program, Risk Alert: OCIE’s 2015 Cybersecurity Examination Initiative (Sept. 15, 2015), available at https://www.sec.gov/files/ocie-2015-cybersecurity-examination-initiative.pdf.
2 See OCIE, National Exam Program, Risk Alert: Cybersecurity Examination Sweep Summary (Feb. 3, 2015), available at https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf; OCIE, National Exam Program, Risk Alert: Cybersecurity Initiative (Apr. 15, 2014), available at https://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix---4.15.14.pdf; and our Legal Update on the Cybersecurity 1 Initiative.
3 Under Regulation S-P, a regulated entity must implement reasonable security policies and procedures to protect customer records and information from unauthorized access or alteration. Therefore, if an entity fails to secure its systems, the SEC may take an enforcement action against it for a violation of Regulation S-P. See our prior Legal Update discussing a recent enforcement action involving Regulation S-P.
4 OCIE, National Exam Program, Examination Priorities for 2017 (Jan. 12, 2017), available at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf. See our prior Legal Update discussing the 2017 OCIE examination priorities.