Professionals Services Insights Community
About Offices Careers
Home / Insights / Observations from OCIE's ...
PDF

September 14, 2017 | Fund Forum

Observations from OCIE's Cybersecurity 2 Initiative

3 min

The United States Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) recently conducted its Cybersecurity 2 Initiative (Initiative). The Initiative consisted of an examination by OCIE of 75 businesses, including investment companies, investment advisers, and broker-dealers (collectively, the Firms). OCIE reported its observations from the Initiative in a recent Risk Alert.1 The Initiative focused on the Firms' written policies and procedures regarding cybersecurity and included validation and testing that such policies and procedures were implemented and followed.

In general, OCIE observed that Firms had increased their cybersecurity preparedness since OCIE's 2014 Cybersecurity 1 Initiative.2 However, OCIE noted specific areas where compliance and oversight could be improved. A summary of OCIE's observations, including issues and robust practices identified by the organization, follows.

Observations

OCIE observed that most Firms conducted (i) periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and business consequences, and (ii) penetration tests and vulnerability scans. In addition, all Firms utilized some system, utility, or tool to prevent, detect, and monitor data loss related to personally identifiable information. In contrast, OCIE's observations included several issues at many Firms, depending, in part, on the type of firm. For example:

  • A number of Firms did not appear to fully remediate risks discovered from tests and scans.
  • A number of Firms failed to install critical software security patches in connection with regular system maintenance.
  • Many advisers and funds did not appear to maintain their incident response plans related to data breach incidents and notifying customers or clients.
  • Some Firms did not appear to memorialize, as part of their written supervisory procedures, their authority to transfer client/customer funds to third-party accounts.

Specific Issues Identified by OCIE

OCIE provided more detail with respect to many of the issues identified pursuant to the Initiative. For example, although most Firms kept up-to-date written policies and procedures for the protection of client data, many did not enforce those policies. OCIE noted that many of the Firms' actual practices diverged from their stated goals. Additionally, OCIE noted that Firms should tailor their policies to their business and should avoid creating contradictory or confusing instructions for employees, particularly with respect to certain areas, such as remote access and investor fund transfers. Finally, some issues implicated Regulation S-P, including the use of outdated operating systems and the failure to correct high-risk vulnerabilities when identified.

Robust Policies and Procedures

OCIE also highlighted the following elements of robust cybersecurity policies and procedures:

  • Firms generally kept a complete inventory of data and information and classified it by risk, vulnerabilities, and other criteria.
  • Firms' policies and procedures included detailed cybersecurity-related instructions, including with respect to penetration tests, security monitoring and system auditing, access rights, and reporting.
  • Many Firms maintained schedules and processes for testing data integrity and vulnerabilities, such as scans of core IT infrastructure and patch management policies.
  • Other Firms required strict controls, including passwords and other encryption, for mobile devices that connected to the Firms' systems.
  • Finally, some Firms strictly traced an employee's access rights throughout his or her time with the company, noting how and when the rights changed.

The Initiative and OCIE's related observations reinforce the priorities set forth in OCIE's 2017 Priorities Letter (a copy of which can be accessed here). OCIE's continued scrutiny of the industry's cybersecurity programs, policies, and procedures merits ongoing diligence, assessments, and improvements by regulated firms. To read more about OCIE's cybersecurity examination observations, click here.

[1] Observations from Cybersecurity Examinations, National Exam Program Risk Alert by the Office of Compliance Inspections and Examinations, Vol. VI, Issue 5, August 7, 2017.

[2] For a copy of OCIE's 2014 Cybersecurity 1 Initiative Observations, click here.

Related Services

Practices

Industries

Related Insights

Significant changes to the federal regulatory process, new cybersecurity requirements for New York financial institutions, and more in this issue of Business News Digest
Significant changes to the federal regulatory process, new cybersecurity requirements for New York financial institutions, and more in this issue of Business News Digest

March 2017

3min
FDA and FTC coordinate on dietary supplements, digital health laws companies should know, and more in this issue of Business News Digest
FDA and FTC coordinate on dietary supplements, digital health laws companies should know, and more in this issue of Business News Digest

September 2017

2min
SEC and FINRA Cybersecurity Reports Highlight Cybersecurity As a New Compliance Priority
SEC and FINRA Cybersecurity Reports Highlight Cybersecurity As a New Compliance Priority

February 24, 2015

6min
View More

Recent News

Variety Spotlights Three Venable Attorneys in Its 2024 Legal Impact Report
Variety Spotlights Three Venable Attorneys in Its 2024 Legal Impact Report

April 17, 2024

1min
Venable Ranks Among American Lawyer Magazine’s Top 100 Firms
Venable Ranks Among American Lawyer Magazine’s Top 100 Firms

April 17, 2024

2min
Corporate Counsel Quotes Kevin Shepherd on the Corporate Transparency Act Reporting Requirements
Corporate Counsel Quotes Kevin Shepherd on the Corporate Transparency Act Reporting Requirements

April 16, 2024

2min
View More