Findings and Best Practices from the SEC on Creating an Effective Cybersecurity Program
By: Dionne Fajardo and Trisha Cram
It is no secret that cybersecurity has been a hot topic with regulators. Everyone, including the Securities and Exchange Commission (SEC), FINRA, and state regulators, has been taking a look into cybersecurity and how firms are protecting client data. It came as no surprise when both FINRA and the SEC again included cybersecurity as one of the primary areas of focus in each of their respective 2017 examination priority letters. Over the past few years, each has issued guidance and conducted meetings outlining best practices firms should follow when designing robust cybersecurity programs. Indeed, the Office of Compliance Inspections and Examinations (OCIE) just recently published a Risk Alert on August 7, 2017 reporting on the results of its most recent sweep examination.
Timeline of Cybersecurity Initiatives
While the financial industry continues to wait on definitive rules surrounding cybersecurity, the SEC has made a number of resources available in an effort to provide guidance for firms when implementing and managing their cybersecurity programs. This guidance is used by regulators to establish their expectations without the implementation of definitive rules. The SEC’s guidance was created in part from OCIE’s 2014 Cybersecurity Initiative, where it examined the cybersecurity practices of more than 50 firms, including broker-dealers, investment advisers, and investment companies. The 2014 sweep examination was OCIE’s first expansive look into firms’ existing cybersecurity practices.
OCIE released a summary of the findings from the 2014 sweep initiative in February 2015. The sweep initiative focused on risk, policies and procedures, supervision, data protection, third party vendors, and unauthorized activity. OCIE found that the majority of firms examined had written policies and procedures relating to cybersecurity in place and periodically audited those procedures to ensure they were being followed. However, OCIE noted the policies and procedures generally did not identify who was ultimately responsible for cybersecurity events.
Further, while a majority of the firms examined were indeed testing their policies and procedures, OCIE found that only a small percentage of those firms required similar cybersecurity assessments of their third party vendors, and an even smaller percentage included some type of cybersecurity risk clause in their contracts with third party vendors. Both the SEC and FINRA have indicated that ensuring the security of third party vendors is just as important as ensuring the security of the firm itself.
Cyber-related events are common. Of the firms OCIE examined in 2014, 88% reported a cybersecurity event. OCIE reported many of the events were the result of firm employees not following prescribed policies and procedures (e.g., not confirming the client’s identity prior to wiring funds).
Because of the ongoing risks firms face, regulators have not abated in making cybersecurity a high priority.
In continuation of its efforts, in 2015 OCIE announced the expansion of its sweep examination to focus on its 2014 findings related to governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. OCIE inspected 75 firms during this second round of examinations. Fast forward to 2017, and OCIE’s results from that sweep are in.
Firm Cybersecurity Procedures Are Improving
OCIE reports in its recent Observations from Cybersecurity Examinations risk alert that firms increased their overall cybersecurity preparedness in response to its earlier guidance. In fact, OCIE noted that nearly every single firm it examined maintained cybersecurity policies and procedures.
Similar to the 2014 sweep, OCIE found that a majority of the firms it examined conducted periodic risk assessments and penetration tests, and utilized systems to prevent or detect data breaches. OCIE’s findings also noted that nearly all of the firms examined had established processes to ensure regular system maintenance.
OCIE noted several similarities in the cybersecurity programs firms adopted. They found that firms were addressing business continuity planning and privacy concerns in their cybersecurity policies and procedures and nearly all developed response plans to address data breaches (though many firms had not memorialized these plans in their policies and procedures as recommended).
OCIE also found that firms were starting to clearly identify the cybersecurity roles and the responsibilities associated persons were expected to follow. However, OCIE found that there are still steps firms should take to design effective cybersecurity programs.
Guidance on Improving Cybersecurity Procedures
In its latest risk alert, OCIE provided several elements it believes firms should adopt when designing effective cybersecurity programs:
- maintain an inventory of data, information, and vendors;
- create detailed cybersecurity-related instructions in the policies;
- maintain schedules and processes for testing data integrity and vulnerability;
- enforce access controls to data;
- conduct employee training; and
- obtain senior management support and approval of the policies and procedures.
Firm oversight of third party vendors is still a concern. In building on the 2014 sweep results, OCIE noted that while examined firms were regularly conducting risk assessments of their third party vendors, their risk assessments were limited to the outset of the relationship. The SEC affirmed its position that this process is inadequate. Adequate management of third party vendor relationships requires that firms also conduct periodic risk assessments as part of their ongoing due diligence review process. This activity will help firms to assure that third party vendors are continuing to meet their established cybersecurity standards.
While OCIE noted in its risk alert that nearly every examined firm maintained cybersecurity policies and procedures, it expressed its concern that in some cases, cybersecurity program policies and procedures were inadequately tailored to address the specific needs of the firm. That is, the plans were general in nature and on the whole did not provide associated persons with the tools they needed in order to implement the policies. Firms should provide associated persons with specific guidelines regarding what safeguards they should have in place to protect client data. For example, firms typically require full disk encryption on all computers used to store or access client information, however, they should go a step further and also provide guidance to communicate the minimum encryption level deemed acceptable by the firm and offer suggestions for products or vendors that can help an associated person meet a firm’s full disk encryption requirements. Steps such as this will help address OCIE’s concerns.
OCIE found that firms failed to follow or enforce their policies and remediate or address weaknesses identified in their systems. Further, it noted that their policies tended to contain elements of a good cybersecurity program (e.g., requiring annual employee training), however, the elements in many cases were not followed (e.g., no training was completed or was completed less frequently than the policies allowed). This guidance highlights the importance to firms to implement periodic testing of their cybersecurity procedures to ensure procedures are accurate and consistently followed by associated persons. Adding this step to an annual compliance program review and testing will help firms assure their adherence to their cybersecurity policies. Firms should track any noted gaps in procedures and retain records regarding their correction and any necessary additional follow-up actions.
Whether a firm has already established cybersecurity policies and procedures or is in the creation and adoption phase, following best practices published by regulators will help it to assure that they are in compliance with the ever changing landscape related to managing cyber risks.
GK Compliance and Regulatory Services Group offers registered investment advisors and broker-dealers a full array of resources designed to help them comply with their regulatory obligations while still pursuing their business goals. For more information, please contact Dionne Fajardo at email@example.com.
 FINRA, 2017 Annual Regulatory and Examination Priorities Letter (January 2017), available at http://www.finra.org/sites/default/files/2017-regulatory-and-examination-priorities-letter.pdf.
 Sec. and Exch. Comm’n Office of Compliance Inspections and Examinations, Examination Priorities for 2017, available at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf.
 Sec. and Exch. Comm’n Office of Compliance Inspections and Examinations, Observations from Cybersecurity Examinations, Vol. VI, Issue 5 (Aug. 7, 2017), available at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.
 Over the years, industry groups and regulators have provided guidance to firms regarding cybersecurity practices but have failed to develop bright line rules firms can use to implement their programs. As early as September 2014, the North American Securities Administrators Association (NASAA) released its report on cybersecurity, Compilation of Results of a Pilot Survey of Cybersecurity Practices of Small and Mid-Sized Investment Adviser Firms. FINRA released its own guidance in February 2015 by way of its Report on Cybersecurity Practices.
 Sec. and Exch. Comm’n Office of Compliance Inspections and Examinations, OCIE Cybersecurity Initiative, Vol. IV, Issue 2 (Apr. 15, 2014).
 Sec. and Exch. Comm’n Office of Compliance Inspections and Examinations, Cybersecurity Examination Sweep Summary, Vol. IV, Issue 4 (Feb. 3, 2015).
 Sec. and Exch. Comm’n Office of Compliance Inspections and Examinations, OCIE’s 2015 Cybersecurity Examination Initiative, Vol. IV, Issue 8 (Sept. 15, 2015).
 Observations from Cybersecurity Examinations, supra.