SEC Cyber Sweep Highlights Areas In Need of Improvement

The results of the SEC’s second cybersecurity sweep examinations are in, and they paint a picture of an industry that has come to grips with the need to address cybersecurity risk, but where the canvas is incomplete in many respects. On August 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert on “Observations from Cybersecurity Examinations” in which it describes its findings from examinations of 75 investment advisers and broker-dealers.

The Risk Alert is broken down into observations and issues identified at firms, including the following:

  • Most advisers now address cybersecurity to some extent in their policies and conduct cybersecurity risk assessments. Reg. S-P and Reg. S-ID were mostly addressed. Policies lagged in other cyber areas.
  • Half of advisers now conduct penetration tests or vulnerability scans to monitor their networks.
  • Software patching has improved at firms in the last two years.
  • Initial vendor due diligence by advisers has improved, although half of the advisers don’t follow up with ongoing due diligence of their vendors.
  • Firms had policies on cybersecurity training for their staff but were not enforcing or tracking it.

Ascendant has noted previously that cybersecurity-related deficiencies are likely to fall in one of three buckets:

  • Not having cybersecurity policies in place
  • Having inadequate cybersecurity policies that have not been tailored to the firm
  • Having strong cybersecurity policies but not adhering to them

The Risk Alert summarizing the Phase 2 Cyber Exams specifically confirmed these shortcomings, revealing that while most firms now have cyber policies, “a majority of the firms’ information protection policies and procedures appeared to have issues.”

It also observed several elements common to firms that had implemented robust controls, including maintenance of an inventory of data, information, and vendors, along with classification of risks and vulnerabilities; detailed cybersecurity-related instructions such as access rights related to employee onboarding and responsibilities; established and enforced access controls such as required immediate termination of access for terminated employees; mandatory information security employee training; and an engaged senior management staff that vets and approves policies and procedure.

Since its inception, Ascendant has been assisting investment advisers on Regulation S-P and business continuity issues, and since 2012 to help firms create information security policies and procedures reasonably designed and tailored to their firms.

And we are pleased to say that the issues identified in the Phase 2 cybersecurity examination summary are ones that we have helped clients of our cybersecurity services address through custom cybersecurity policies, cybersecurity testing, and training.

The SEC makes clear in the Risk Alert that cybersecurity exams are here to stay. If you’d like to see how Ascendant’s cybersecurity team can strengthen your cybersecurity program, or need help with services like cybersecurity risk assessments, vulnerability scanning, penetration testing, social engineering testing, and cyber training, please contact us.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

Countdown to CCPA: Are You Ready to Comply with New Data Privacy Requirements?

With less than one month before the California Consumer Privacy Act (CCPA) is effective, companies are preparing to update their cybersecurity programs. Many must address the regulation’s new data privacy requirements, which have caught some financial institutions off guard. Modeled to some extent after the European Union’s General Data Protection Regulation (GDPR), the CCPA provides … Continued

ESMA Updates AIFMD Q&A on Reporting to National Competent Authorities

The European Securities and Markets Authority (ESMA) has updated its Questions and Answers on the Alternative Investment Fund Managers Directive (AIFMD). One new Q&A has been added with regard to reporting to National Competent Authorities. ESMA has provided clarification on reporting on liquidity stress tests for closed-ended unleveraged Alternative Investment Funds (AIFs). These AIFs are exempt from the … Continued

CSS Named to RegTech 100 List of World’s Most Innovative RegTech Companies

NEW YORK – Compliance Solutions Strategies (CSS) is proud to announce its inclusion in the RegTech 100 for 2020, a list recognizing the world’s most innovative RegTech companies compiled by RegTech Analyst, a specialist research firm. “We are honored to be selected as one of the most innovative companies within such a competitive and evolving … Continued