On August 7, 2017, the Office of Compliance Inspections and Examinations (“OCIE”) at the Securities and Exchange Commission’s (“SEC”) published a Risk Alert (“Alert”)¹ describing observations from OCIE’s Cybersecurity 2 Initiative (“Initiative”) examinations. The Initiative, pursuant to which OCIE examined 75 firms, including broker-dealers, investment advisers, and investment companies (collectively, “firms”), focused on validating and testing procedures and controls surrounding cybersecurity preparedness, including assessments of the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.

Summary of Examination Observations

SEC staff observed an overall improvement in firms’ awareness of cyber-related risks and the implementation of certain cybersecurity practices. In contrast to OCIE’s Cybersecurity 1 Initiative, all broker-dealers, all investment companies, and nearly all investment advisers examined maintained cybersecurity-related written procedures and policies addressing protection of customer/shareholder records and information.

SEC staff observed that (i) nearly all broker-dealers and the vast majority of advisers and funds conducted periodic risk assessments of critical systems to identify cybersecurity threats; (ii) nearly all broker-dealers and almost half of investment advisers and investment companies conducted penetration tests and vulnerability scans on critical systems; (iii) all firms used some form of system, utility, or tool to prevent, detect, and monitor data loss as it related to personally identifiable information; (iv) all broker-dealers and nearly all investment advisers and funds had a process in place to ensure regular system maintenance; (v) nearly all firms’ policies and procedures addressed cyber-related business continuity planning and Regulation S-P² (and nearly all broker-dealers and most investment advisers and investment companies had specific policies and procedures related to Regulation S-ID³); among other observations.

SEC staff also observed that some broker-dealers did not memorialize in writing the process for transferring customer or shareholder funds into third party accounts, and appeared to have informal practices for verifying customers’ identities in order to proceed with requests to transfer funds. Further, while almost all firms conducted vendor risk assessments, only around half of the firms required that such risk assessments be updated on at least an annual basis.

Areas of Concern

In addition to considering areas where coverage appeared to have improved, SEC staff highlighted issues that firms would benefit from considering to improve their policies, procedures, and practice. In particular, the SEC pointed to the following issues:

• Policies and procedures provided employees with only general guidance and as a result were not reasonably tailored.
• Firms did not appear to adhere to or enforce the policies and procedures, or the policies and procedures did not reflect the firms’ actual practices.
• Among firms that did not appear to adequately conduct system maintenance, there were examples of stale risk assessments and a lack of remediation efforts.

Elements of Robust Policies and Procedures

SEC staff also identified several attributes of “robust” policies and procedures, including:

• Policies and procedures that maintain a complete inventory of data and information, along with classifications of the risks, vulnerabilities, data, business consequences, and information regarding each service provider and vendor.
• Detailed cybersecurity-related instructions, including security monitoring, system auditing, access rights, and reporting.
• Prescriptive schedules and processes for testing data integrity and vulnerabilities.
• Established and enforced controls to access data and systems, including requiring third-party vendors to periodically provide activity logs on the firms’ networks.
• Mandatory information security training for employees.
• Senior management should vet and approve policies and procedures, and otherwise be engaged in cybersecurity matters.

OCIE will continue to examine and test for cybersecurity compliance procedures and controls.

______________________________________________________

¹ National Exam Program Risk Alert, Observations From Cybersecurity Examinations (Volume VI, Issue 5, August 7, 2017), available at http://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.

² 17 C.F.R. Part 248, Subpart A.

³ 17 C.F.R. Part 248, Subpart C.

_____________________________________________________

If you have any questions regarding the matters covered in this partners and counsel listed below or your primary attorney in this memo, please contact any of the partners and counsel listed below or your primary attorney in Seward & Kissel’s Investment Management Group.