SEC’s Office of Compliance Inspections and Examinations (OCIE) wrapped up their latest round of cybersecurity examinations. The recently issued report – “Observations from Cybersecurity Examinations” – offers the subsequent findings related to financial firms’ cybersecurity practices.
OCIE Cybersecurity 2 Initiative
OCIE launched their Cybersecurity 2 Initiative following the first round of examinations conducted in 2014. This time around, OCIE examined 75 firms registered with the SEC (broker-dealers, investment advisers, and Investment companies).
The purpose of the second round of examinations was to assess industry practices and compliance issues associated with cybersecurity preparedness. OCIE noted that these examinations focused more on testing of cybersecurity procedures and controls.
Observations & Findings
OCIE staff determined an overall increase in cybersecurity preparedness since the first examinations in 2014.
Areas of improvement included:
- Maintaining cybersecurity related written policies and procedures to address the protection of customer records
- Conducting risk assessments to identify cybersecurity threats and vulnerabilities
- Conducting penetration tests and vulnerability scans
- Installing software patches to address vulnerabilities
- Identifying cybersecurity roles and responsibilities
- Receiving customer authority for fund transfers
- Conducting vendor risk assessments
One area of concern identified in the report was the failure of firms to tailor or enforce their cybersecurity policies and procedures. Oftentimes, firms would only provide employees with general guidance and offer limited examples of safeguards for employees to leverage.
In their report, OCIE includes a list of examples and best practices for firms to consult when implementing cybersecurity policies and procedures.
The International Monetary Fund (IMF) also issued a report discussing cyber risk – “Cyber Risk, Market Failures, and Financial Stability”. Their report highlights the importance of cyber risk as a part of systemic and operational risks.