SEC Cyber Sweep Highlights Areas In Need of Improvement

The results of the SEC’s second cybersecurity sweep examinations are in, and they paint a picture of an industry that has come to grips with the need to address cybersecurity risk, but where the canvas is incomplete in many respects. On August 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert on “Observations from Cybersecurity Examinations” in which it describes its findings from examinations of 75 investment advisers and broker-dealers.

The Risk Alert is broken down into observations and issues identified at firms, including the following:

  • Most advisers now address cybersecurity to some extent in their policies and conduct cybersecurity risk assessments. Reg. S-P and Reg. S-ID were mostly addressed. Policies lagged in other cyber areas.
  • Half of advisers now conduct penetration tests or vulnerability scans to monitor their networks.
  • Software patching has improved at firms in the last two years.
  • Initial vendor due diligence by advisers has improved, although half of the advisers don’t follow up with ongoing due diligence of their vendors.
  • Firms had policies on cybersecurity training for their staff but were not enforcing or tracking it.

Ascendant has noted previously that cybersecurity-related deficiencies are likely to fall in one of three buckets:

  • Not having cybersecurity policies in place
  • Having inadequate cybersecurity policies that have not been tailored to the firm
  • Having strong cybersecurity policies but not adhering to them

The Risk Alert summarizing the Phase 2 Cyber Exams specifically confirmed these shortcomings, revealing that while most firms now have cyber policies, “a majority of the firms’ information protection policies and procedures appeared to have issues.”

It also observed several elements common to firms that had implemented robust controls, including maintenance of an inventory of data, information, and vendors, along with classification of risks and vulnerabilities; detailed cybersecurity-related instructions such as access rights related to employee onboarding and responsibilities; established and enforced access controls such as required immediate termination of access for terminated employees; mandatory information security employee training; and an engaged senior management staff that vets and approves policies and procedure.

Since its inception, Ascendant has been assisting investment advisers on Regulation S-P and business continuity issues, and since 2012 to help firms create information security policies and procedures reasonably designed and tailored to their firms.

And we are pleased to say that the issues identified in the Phase 2 cybersecurity examination summary are ones that we have helped clients of our cybersecurity services address through custom cybersecurity policies, cybersecurity testing, and training.

The SEC makes clear in the Risk Alert that cybersecurity exams are here to stay. If you’d like to see how Ascendant’s cybersecurity team can strengthen your cybersecurity program, or need help with services like cybersecurity risk assessments, vulnerability scanning, penetration testing, social engineering testing, and cyber training, please contact us.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

Tips to Prevent an SEC OCIE Investment Adviser Exam from Going Bad

Strategies to employ when an SEC OCIE adviser exam goes bad drew a great crowd at the recent CSS Ascendant Fall Compliance Conference. Proactively pointing an exam in the right direction was a consistent theme, summarized by the familiar refrain: “There is no substitute for preparation.” A few keys to note if you find your … Continued

Giving Voice to Values: A New Approach to Ethics

The “Giving Voice to Values” program grew out of Professor Mary Gentile’s frustration of what was going on in both the financial industry and in higher education. She was frustrated and angry about the poor way that ethics was being taught in universities and applied in real-world scenarios. What developed out of her frustration is … Continued

Tips for Developing a Tailored Private Fund Compliance Calendar

As regulatory concerns proliferate and become more complex, developing and monitoring your “to-do” list becomes of paramount importance.  John Gentile, the Director of Private Fund Manager Services for Compliance Solutions Strategies and Michael Emanuel, a Partner at Stroock & Stroock & Lavan LLP provided attendees of the recent CSS 2019 Fall Conference some insight into … Continued