SEC Cyber Sweep Highlights Areas In Need of Improvement

The results of the SEC’s second cybersecurity sweep examinations are in, and they paint a picture of an industry that has come to grips with the need to address cybersecurity risk, but where the canvas is incomplete in many respects. On August 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert on “Observations from Cybersecurity Examinations” in which it describes its findings from examinations of 75 investment advisers and broker-dealers.

The Risk Alert is broken down into observations and issues identified at firms, including the following:

  • Most advisers now address cybersecurity to some extent in their policies and conduct cybersecurity risk assessments. Reg. S-P and Reg. S-ID were mostly addressed. Policies lagged in other cyber areas.
  • Half of advisers now conduct penetration tests or vulnerability scans to monitor their networks.
  • Software patching has improved at firms in the last two years.
  • Initial vendor due diligence by advisers has improved, although half of the advisers don’t follow up with ongoing due diligence of their vendors.
  • Firms had policies on cybersecurity training for their staff but were not enforcing or tracking it.

Ascendant has noted previously that cybersecurity-related deficiencies are likely to fall in one of three buckets:

  • Not having cybersecurity policies in place
  • Having inadequate cybersecurity policies that have not been tailored to the firm
  • Having strong cybersecurity policies but not adhering to them

The Risk Alert summarizing the Phase 2 Cyber Exams specifically confirmed these shortcomings, revealing that while most firms now have cyber policies, “a majority of the firms’ information protection policies and procedures appeared to have issues.”

It also observed several elements common to firms that had implemented robust controls, including maintenance of an inventory of data, information, and vendors, along with classification of risks and vulnerabilities; detailed cybersecurity-related instructions such as access rights related to employee onboarding and responsibilities; established and enforced access controls such as required immediate termination of access for terminated employees; mandatory information security employee training; and an engaged senior management staff that vets and approves policies and procedure.

Since its inception, Ascendant has been assisting investment advisers on Regulation S-P and business continuity issues, and since 2012 to help firms create information security policies and procedures reasonably designed and tailored to their firms.

And we are pleased to say that the issues identified in the Phase 2 cybersecurity examination summary are ones that we have helped clients of our cybersecurity services address through custom cybersecurity policies, cybersecurity testing, and training.

The SEC makes clear in the Risk Alert that cybersecurity exams are here to stay. If you’d like to see how Ascendant’s cybersecurity team can strengthen your cybersecurity program, or need help with services like cybersecurity risk assessments, vulnerability scanning, penetration testing, social engineering testing, and cyber training, please contact us.

Related Content

Latest Content

Do your Fund Documents Clearly Disclose Receipt of Accelerated Monitoring Fees?

Somewhat more reminiscent of the broken-windows enforcement era, two affiliated private equity advisers managing billions settled with the SEC on charges that they failed to make pre-commitment disclosures in fund governing documents related to accelerated fees received from portfolio companies. Interestingly, according to the Settlement Order, the advisers had made some disclosures in fund documents … Continued

With New Risk Alert, SEC Doubles Down on Best Execution

On July 11, 2018, the SEC issued a Risk Alert outlining commonly found compliance issues related to best execution by investment advisers. Advisers have an obligation to seek best execution of client transactions, taking into consideration quantitative factors such as execution quality and commission rate, as well as more qualitative factors such as the value … Continued

The Cost of Compliance: Understanding and Leveraging Resources

For compliance officers, obtaining the necessary tools and resources to build an effective compliance program can be costly and difficult to implement. How do you distinguish the best in class, the most cost-efficient and effective for use in your program? In this ComplianceCast, speakers David Porteous of Faegre Baker Daniels and Korrine Kohm of Ascendant … Continued

California Privacy Law Brings GDPR-Lite to the U.S.

New Act Will Give Consumers Rights to Access and Delete Their Data In what has become an ongoing race among states to have the toughest privacy regulation in the U.S., California has jumped to the front. On June 28, 2018, California’s legislature unanimously passed a privacy bill that was later signed by Governor Jerry Brown, … Continued

SEC Deficiency Letters Require Swift Action

On the topic of SEC Deficiency Letters, if you have received one, you must promptly take corrective action. The SEC will not tolerate inappropriate delay. The SEC recently imposed an $8 million civil penalty on an adviser who, among other things, failed to promptly take corrective action in its Form ADV filing, following receipt of … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.