In August, the SEC Office of Compliance Inspections and Examinations (OCIE) released a risk alert titled Observations From Cybersecurity Examinations. This alert reviewed the OCIE’s findings from examinations of 75 firms that focused on their cybersecurity preparedness. The firms examined included broker-dealers, investment advisors as well as mutual funds. The examinations focused on evaluating each firms’ cybersecurity preparedness with respect to:
- Governance & risk assessment
- Access rights and controls
- Data loss prevention
- Vendor management
- Incident response
The results of the OCIE’s examinations, done in 2015, were encouraging as nearly all the firms were better prepared for a cybersecurity event than firms examined in years past. The broker-dealers had made the most progress in meeting the OCIE’s expectation but there were still a good number of investment advisors that were deficient. Among the issues that the OCIE felt still needed work were the following:
- Policies and procedures were not reasonably tailored to firm’s operational structure. Policies were found to be vague and provided only general guidance. Procedures for implementing safeguards were vague or limited in scope.
- Firm’s actual practices do not reflect policies and procedures. Activities like an annual customer protection review were being conducted less than annually. Reviews of safeguards that were supposed to be ongoing were being done annually or not at all. Safeguard procedures were contradicting other office procedures or so vague that employees just ignored them.
- Efforts to safeguard client information were lacking. Firms were cited as using outdated software that were no longer covered by security patches (time to upgrade from Windows XP people!). Slow response to fix issues after it became evident that security measures for client information were deficient was also noted.
If you had any doubts as to the SEC’s seriousness with respect to cybersecurity, let them be dispelled. When the SEC comes to your office, they are going to take a close look at how you are handling cybersecurity threats, employee cybersecurity training and safeguarding client information. The word on the street is, that it could really hurt your pocketbook if your cybersecurity efforts are found deficient.
Cybersecurity Working Group coming soon!
If the above news has your stomach churning because you can’t tell your ethernet switch from your dual-band wireless router, we have good news. The Professional Issues Committee is putting together a Cybersecurity Working Group to help FPA MN members understand what is takes to be cybersecurity compliant. We are fortunate to have seasoned compliance professionals on the committee who have implemented cybersecurity policies and procedures at their firms that meet SEC standards. They will be leading the group through the NIST cybersecurity framework that the SEC recognizes as the best way to evaluate and respond to cybersecurity threats.
We will keep you posted on when the Working Group kicks off. In the interim, you are welcome to contact the FPA office and let them know that you are interested in participating.