Over the last several months, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has been conducting a “sweep examination” of over 70 broker-dealers and investment advisers to assess their cybersecurity policies and procedures. https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf. In particular, OCIE looked at their preparedness regarding governance and risk assessment; access rights and controls; data loss prevention; vendor management; training; and incident response.
For the most part, OCIE found policies and procedures in place, and these firms did, in fact, conduct penetration tests and vulnerability scans; used a system to prevent data loss; installed software patches; adopted response plans; and conducted vendor risk assessments. However, all the news was not good. OCIE believes that these firms should have better tailored policies and procedures; conduct enhanced employee training; replace outdated systems; and make sure that various vulnerabilities were addressed in a timely fashion. OCIE also informed these firms that it will continue to be vigilant in the cybersecurity sphere in both its examinations and testing.
In sum, with the exception of tweets from the White House, no area is getting more attention from the public and the government than cybersecurity precautions and detection. It is critical that senior management and compliance at broker-dealers and investment advisers take this threat seriously or there could be serious repercussions if their business is attacked.