The results of the SEC’s second cybersecurity sweep examinations are in, and they paint a picture of an industry that has come to grips with the need to address cybersecurity risk, but where the canvas is incomplete in many respects. On August 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert on “Observations from Cybersecurity Examinations” in which it describes its findings from examinations of 75 investment advisers and broker-dealers.
The Risk Alert is broken down into observations and issues identified at firms, including the following:
- Most advisers now address cybersecurity to some extent in their policies and conduct cybersecurity risk assessments. Reg. S-P and Reg. S-ID were mostly addressed. Policies lagged in other cyber areas.
- Half of advisers now conduct penetration tests or vulnerability scans to monitor their networks.
- Software patching has improved at firms in the last two years.
- Initial vendor due diligence by advisers has improved, although half of the advisers don’t follow up with ongoing due diligence of their vendors.
- Firms had policies on cybersecurity training for their staff but were not enforcing or tracking it.
Ascendant has noted previously that cybersecurity-related deficiencies are likely to fall in one of three buckets:
- Not having cybersecurity policies in place
- Having inadequate cybersecurity policies that have not been tailored to the firm
- Having strong cybersecurity policies but not adhering to them
The Risk Alert summarizing the Phase 2 Cyber Exams specifically confirmed these shortcomings, revealing that while most firms now have cyber policies, “a majority of the firms’ information protection policies and procedures appeared to have issues.”
It also observed several elements common to firms that had implemented robust controls, including maintenance of an inventory of data, information, and vendors, along with classification of risks and vulnerabilities; detailed cybersecurity-related instructions such as access rights related to employee onboarding and responsibilities; established and enforced access controls such as required immediate termination of access for terminated employees; mandatory information security employee training; and an engaged senior management staff that vets and approves policies and procedure.
Since its inception, Ascendant has been assisting investment advisers on Regulation S-P and business continuity issues, and since 2012 to help firms create information security policies and procedures reasonably designed and tailored to their firms.
And we are pleased to say that the issues identified in the Phase 2 cybersecurity examination summary are ones that we have helped clients of our cybersecurity services address through custom cybersecurity policies, cybersecurity testing, and training.
The SEC makes clear in the Risk Alert that cybersecurity exams are here to stay. If you’d like to see how Ascendant’s cybersecurity team can strengthen your cybersecurity program, or need help with services like cybersecurity risk assessments, vulnerability scanning, penetration testing, social engineering testing, and cyber training, please contact us.