The SEC has recently completed its Cybersecurity Examination Initiative, aimed at better understanding how broker-dealers and advisers address the legal, regulatory, and compliance issues associated with cybersecurity. The examined firms were selected to provide perspectives from a cross-section of the financial services industry and to assess various firms’ vulnerability to cyber-attacks. The review was designed to discern basic distinctions among the level of preparedness of the examined firms.
As a result of this review, OCIE highlights several factors that firms may consider to: (1) assess their supervisory, compliance and/or other risk management systems related to cybersecurity risks, and (2) make any changes, as may be appropriate, to address or strengthen such systems.
As part of the examinations, OCIE collected and analyzed information from firms relating to their practices for:
- Identifying risks related to cybersecurity
- Establishing cybersecurity governance, including policies, procedures, and oversight processes
- Protecting firm networks and information
- Identifying and addressing risks associated with remote access to client information and funds transfer requests
- Identifying and addressing risks associated with vendors and other third parties
- Detecting unauthorized activity
The staff also held interviews with key personnel at each firm regarding its business and operations; detection and impact of cyber-attacks; preparedness for cyber-attacks; training and policies relevant to cybersecurity; and protocol for reporting cyber breaches.
Summary Examination Observations
OCIE provided summary observations from the examinations conducted, as follows:
- The vast majority of examined broker-dealers (93%) and advisers (83%) have adopted written information security policies.
- Written business continuity plans often address the impact of cyber-attacks or intrusions, most importantly discussing the mitigation of the effects of a cybersecurity incident and/or outline the plan to recover from such an incident.
- Written policies and procedures generally do not address how firms determine whether they are responsible for client losses associated with cyber incidents.
- Many firms are utilizing external standards and other resources to model their information security architecture and processes, such as those published by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization (“ISO”), and the Federal Financial Institutions Examination Council (“FFIEC”).
- The vast majority of examined firms conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences.
- A majority of the broker-dealers examined and approximately a third of the advisers examined require cybersecurity risk assessments of vendors with access to their firms’ networks.
- Many examined firms identify best practices through information-sharing networks, with half of the broker-dealers examined holding membership in industry groups, associations, or organizations (both formal and informal) that exist for the purpose of sharing information regarding cybersecurity attacks and identifying effective controls to mitigate harm, such as the Financial Services Information Sharing and Analysis Center (“FS-ISAC”).
In contrast, advisers more frequently relied on discussions with industry peers, attendance at conferences, and independent research to identify cybersecurity practices relevant to their business and learn about latest guidance from regulators, government agencies, and industry groups.
- The vast majority of examined firms report conducting firm-wide inventorying, cataloguing, or mapping of their technology resources.
- Most of the broker-dealers examined incorporate requirements relating to cybersecurity risk into their contracts with vendors and business partners; whereas few of the advisers examined incorporate such requirements.
- Almost all of those examined make use of encryption in some form.
- Many examined firms provide their clients with suggestions for protecting their sensitive information. Many of the broker-dealer firms provide their customers with some form of information about reducing cybersecurity risks in conducting transactions with the firm. Similarly, advisers were seen to provide clients with information about certain steps that can be taken to reduce cybersecurity risks when conducting business with the firm.
- Many broker-dealer firms have a designated Chief Information Security Officer (“CISO”), whereas less than a third of the advisers examined have designated a CISO; rather, advisers often direct their Chief Technology Officer to take on the responsibilities typically performed by a CISO or they have assigned another senior officer (such as the CCO, CEO or COO) to liaise with a third-party consultant who is responsible for cybersecurity oversight.
- Over half of the broker-dealers examined maintained insurance for cybersecurity incidents; whereas only a small number of the advisers maintained insurance that covers losses and expenses attributable to cybersecurity incidents.
Click here to read the Seward & Kissel Memorandum “SEC Risk Alert urges broker-dealers, investment advisers, and investment companies to improve cybersecurity”:
Click here to access the Risk Alert on OCIE’s Cybersecurity 2 Initiative:
See companion blog post titled “Revisiting the SEC’s 2015 ‘Summary of Cybersecurity Examination Sweep’ ” for discussion of the Cybersecurity 1 Initiative.