Observations from SEC conducted cybersecurity examinations

9 August 2017

The Securities and Exchange Commission (SEC) recently announced their findings as part of Office of Compliance Inspections and Examinations (OCIE) Cybersecurity 2 Initiative. The National Examination Program staff recently examined 75 US based firms, including broker-dealers, investment advisers, and investment companies (‘funds’) registered with the SEC.

Because cybersecurity remains at the top of compliance risks for financial firms worldwide, this examination was conducted in the US to evaluate cybersecurity preparedness as a follow-up to the Cybersecurity 1 Initiative in 2014. Cybersecurity 2 put more focus on testing and validating controls and procedures than its predecessor. Staff conducting the exam also evaluated governance and risk assessment; access rights and controls; data loss prevention; vendor management; training; and incident response.

Findings

While overall the SEC noted significant improvement in areas such as awareness, the implementation of vulnerability scans/risk assessments of critical systems and response plans, several areas require improvement and remediation, particularly as it relates to the policies and procedures created after the first examination. The staff concluded that:

  • Policies and procedures were ‘narrowly scoped’ and they did not articulate how to implement the policies, providing employees with only ‘general guidance’
  • Firms were not acting within the scope of their enforced policies and procedures and were not conducting required annual customer protection reviews as frequently as specified
  • Firms were not providing granularity to employees on permissible activities and not requiring that all employees complete cybersecurity awareness training.

Based upon their findings, the NEP have created a list of elements they believe to be useful in the implementation of cybersecurity-related policies and procedures:
https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf

We can help

This year Bovill has expanded its global capabilities by opening an office in United States to further enrich our US regulatory service.

Bovill can provide a comprehensive review of cybersecurity programs to help identify and assess the appropriateness and effectiveness of your firm’s governance systems and controls as well as how the cyber-risks your firm faces interact with other financial crime risks your firm deals with.

If you have any questions about these requirements or need any other support please contact your relationship manager or info@bovill.com.

Share this