As cybersecurity remains one of the top compliance risks for financial firms, the SEC has released a Risk Alert on observations from OCIE’s Cybersecurity 2 Initiative. Following the initial initiative in 2014 that undertook to assess associated industry practices and legal and compliance issues, the more recent focus was on more validation and testing of procedures and controls surrounding cybersecurity preparedness.
In particular, the Cybersecurity 2 Initiative focused on firms’ written policies and procedures regarding cybersecurity, including validating and testing that such policies and procedures were implemented and followed. In addition, the staff sought to better understand how firms managed their cybersecurity preparedness by focusing on the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.
In general, the staff acknowledged that it observed increased cybersecurity preparedness since the first initiative; however, there are areas where compliance and oversight could be improved, as follows:
- Policies and procedures were not reasonably tailored because they provided employees with only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague, as they did not articulate procedures for implementing the policies.
- Firms did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices
- The staff also observed Regulation S-P-related issues among firms that did not appear to adequately conduct system maintenance, such as the installation of software patches to address security vulnerabilities and other operational safeguards to protect customer records and information.
Other takeaways from the Risk Alert are the following elements of robust policies and procedures that the staff observed, which can serve as best practices for the implementation of cybersecurity-related policies and procedures:
- Maintenance of an inventory of data, information, and vendors.
- Detailed cybersecurity-related instruction, such as for penetration tests, security monitoring and system auditing, access rights and reporting.
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities.
- Established and enforced controls to access data and systems.
Mandatory employee training.
- Engaged senior management with policies and procedures vetted and approved by senior management.