On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued its third National Exam Program Risk Alert of the 2017 calendar year, detailing OCIE’s findings and observations from its Cybersecurity 2 Initiative. This Cybersecurity 2 Initiative, the name for OCIE’s second round of cybersecurity examinations, builds on OCIE’s prior 2015 Cybersecurity 1 Initiative, and includes more robust validation and testing of cybersecurity controls to evaluate how well firms implement and follow their cybersecurity-related policies and procedures.
This latest OCIE Risk Alert summarizes the exam staff’s findings after conducting examinations of 75 firms, consisting of broker-dealers, investment advisers and investment companies registered with the SEC and includes three key sections. First, the staff provided a summary of its exam observations, including discussions of the use by registrants of risk assessments, penetration testing, tools to monitor loss of personal data, and other policies, procedures and methods for dealing with cybersecurity and related business continuity issues. Second, the staff noted that the vast majority of examinations uncovered one or more cybersecurity-related issues, and highlighted certain of the more prevalent issues observed by the staff. Finally, and perhaps most notably, the staff provided a list of “several elements that were included in the policies and procedures of firms that the staff believes had implemented robust controls.” When creating and implementing cybersecurity programs, other registrants may benefit from considering these good practices identified by the staff. We will be publishing a more detailed summary and analysis of the August 2017 Risk Alert, and in particular these guideposts for registrants consideration, in the coming week.
The August 2017 Risk Alert is the second cybersecurity-related Risk Alert issued by OCIE this year (the May 2017 Risk Alert dealt with ransomware issues), and with the September 2015 Risk Alert is the fifth expressly dealing with cybersecurity since 2014 when OCIE announced its Cybersecurity Preparedness Initiative, the results of which were summarized in a February 2015 Risk Alert. It is safe to say that not only has the SEC’s interest in cybersecurity issues faced by broker-dealers, investment advisers and investment companies not waned but, as is the case in almost every industry, it has intensified.
Financial industry participants registered with or subject to oversight by the SEC need to take notice of the spate of information on this topic produced by the SEC and be mindful of the concepts discussed by OCIE in these releases when creating, reviewing and/or modifying their cybersecurity policies and procedures to comply with and meet SEC regulatory requirements and expectations.