Cybersecurity is more than just a trending topic.  As hacks and leaks continue to be publicized, the Securities and Exchange Commission is stepping up its game and increasing its focus on cybersecurity compliance.

The SEC’s Office of Compliance and Inspections recently released an initial summary of their findings from their 2014 OCIE Cybersecurity Initiative.  The OCIE examined 57 registered broker-dealers and 49 registered investment advisers to better understand how they address the legal, regulatory, and compliance issues associated with cybersecurity.  While the OCIE admits that their staff “is still reviewing the information to discern correlations between the examined firms’ preparedness and controls and their size, complexity, or other characteristics”, the Cybersecurity Examination Sweep Summary details the OCIE’s initial observations related to cybersecurity.

The OCIE found that most of the examined firms have implemented the following cybersecurity initiatives:

  • Adopted written information security policies;
  • Conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences;
  • Conduct firm-wide inventorying, cataloging, or mapping of their technology resources;
  • Use some form of encryption; and
  • Provide clients with suggestions for protecting their sensitive information.

Regarding certain cybersecurity initiatives, however, the OCIE frequently found broker-dealers to be better positioned than advisers.

  • 72% of broker-dealers incorporate cybersecurity risk policies into contracts with vendors and business partners, compared to only 24% of advisers that incorporate such requirements.
  • 68% of broker-dealers have an explicitly designated Chief Information Security Officer (“CISO”), while only 30% of advisers follow suit (instead opting to direct cybersecurity responsibilities towards their CTO, CCO, CEO, COO, or even a third-party consultant).
  • 58% of broker-dealers maintain insurance for cybersecurity incidents, while only 21% of advisers maintain cybersecurity insurance.

The OCIE’s summary also noted that less than half of the examined firms identify best practices through information-sharing networks.  This is an area in which firms could improve their cybersecurity efforts across-the-board.

FINRA has also identified cybersecurity as one of its areas of focus in 2015, promising to “review firms’ approaches to cybersecurity risk management, including their governance structures and processes for conducting risk assessments and addressing the output of those assessments” this year.  FINRA recently released its Report on Cybersecurity Practices, which provides a much more in-depth report on cybersecurity and encourages firms to pursue various cybersecurity initiatives as well.

Cybersecurity remains a real threat.  Indeed, in its summary, the OCIE found that “[m]ost of the examined firms reported that they have been the subject of a cyber-related incident.”  Firms that have not yet adopted the above cybersecurity initiatives should consider doing so, as the SEC and FINRA are clearly sending a not-so-subtle messages about the areas of cybersecurity compliance they expect to find during examinations.

For more information and resources related to cybersecurity, check out Fox Rothschild’s Privacy Compliance & Data Security blog.