SEC Cyber Sweep Highlights Areas In Need of Improvement

The results of the SEC’s second cybersecurity sweep examinations are in, and they paint a picture of an industry that has come to grips with the need to address cybersecurity risk, but where the canvas is incomplete in many respects. On August 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert on “Observations from Cybersecurity Examinations” in which it describes its findings from examinations of 75 investment advisers and broker-dealers.

The Risk Alert is broken down into observations and issues identified at firms, including the following:

  • Most advisers now address cybersecurity to some extent in their policies and conduct cybersecurity risk assessments. Reg. S-P and Reg. S-ID were mostly addressed. Policies lagged in other cyber areas.
  • Half of advisers now conduct penetration tests or vulnerability scans to monitor their networks.
  • Software patching has improved at firms in the last two years.
  • Initial vendor due diligence by advisers has improved, although half of the advisers don’t follow up with ongoing due diligence of their vendors.
  • Firms had policies on cybersecurity training for their staff but were not enforcing or tracking it.

Ascendant has noted previously that cybersecurity-related deficiencies are likely to fall in one of three buckets:

  • Not having cybersecurity policies in place
  • Having inadequate cybersecurity policies that have not been tailored to the firm
  • Having strong cybersecurity policies but not adhering to them

The Risk Alert summarizing the Phase 2 Cyber Exams specifically confirmed these shortcomings, revealing that while most firms now have cyber policies, “a majority of the firms’ information protection policies and procedures appeared to have issues.”

It also observed several elements common to firms that had implemented robust controls, including maintenance of an inventory of data, information, and vendors, along with classification of risks and vulnerabilities; detailed cybersecurity-related instructions such as access rights related to employee onboarding and responsibilities; established and enforced access controls such as required immediate termination of access for terminated employees; mandatory information security employee training; and an engaged senior management staff that vets and approves policies and procedure.

Since its inception, Ascendant has been assisting investment advisers on Regulation S-P and business continuity issues, and since 2012 to help firms create information security policies and procedures reasonably designed and tailored to their firms.

And we are pleased to say that the issues identified in the Phase 2 cybersecurity examination summary are ones that we have helped clients of our cybersecurity services address through custom cybersecurity policies, cybersecurity testing, and training.

The SEC makes clear in the Risk Alert that cybersecurity exams are here to stay. If you’d like to see how Ascendant’s cybersecurity team can strengthen your cybersecurity program, or need help with services like cybersecurity risk assessments, vulnerability scanning, penetration testing, social engineering testing, and cyber training, please contact us.

Related Content

Latest Content

SEC’s Latest Risk Alert Focuses on Electronic Communications

The SEC’s most recent risk alert, “Observations from Investment Adviser Examinations Relating to Electronic Messaging,” issued on December 14, 2019, focuses on the use and maintenance of electronic communications for business purposes. The purpose of the alert is to remind advisers of their obligations related to personal use of electronic messaging and the requirements for … Continued

SEC OCIE Issues 2019 Examination Priorities

Well ahead of the New Year, the SEC Office of Compliance Inspections and Examinations (OCIE) announced its 2019 examination priorities. In keeping with OCIE’s four “pillars” of promoting compliance, preventing fraud, identifying and monitoring risk, and informing policy, the Dec. 20 release provides a preview of key areas where OCIE intends to focus its limited … Continued

Highlights of 2018: Predictions for 2019

Our annual year-end review covers investment adviser compliance highlights from 2018, and makes 2019 predictions. We will highlight enforcement actions and SEC risk alerts for retail advisers, private fund managers, and institutional wealth managers. Using these as road markers, our predictions are designed to lead reasonable and effective compliance program development. Evaluate 2018 Compliance and … Continued

A New View of How Technology Will Change the Emerging Crytpo-Economy

From the top of the world, it’s amazing what you can see.  I recently had the opportunity to travel to the United Arab Emirates to speak in Dubai at the 7th Edition of the Alternative Investment Management Summit. While I was there, I took a few moments to ride to the top of the Burj … Continued

SEC Retail Investor Focus Turns Towards Registered Investment Companies

Earlier this year when the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced its 2018 examination priorities, OCIE stated that a core priority was to protect retail investors, including seniors and individuals saving for retirement. OCIE is now continuing this effort by focusing on mutual funds and exchanged-traded funds (together, the “Funds”) as the … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.