On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released a Risk Alert, based on OCIE’s findings stemming from its Cybersecurity 2 Initiative.
In the 3 years since its first cybersecurity initiative, OCIE has seen significant growth in cybersecurity compliance measures at both broker-dealers and investment advisers. While there has been a significant improvement in cybersecurity policies and preparedness, the office highlighted issues which all firms should note.
One of the recurring issues identified in the Risk Alert is policies and procedures insufficiently tailored to reflect actual operations and processes of a firm.
A second issue which OCIE highlighted is failure to follow cybersecurity policies and procedures already in place. For example, many firms had provisions for testing and employee training but either lacked documentation of such efforts or failed to meet their obligations, as specified, altogether. Many firms also had policies that were likely written without sufficient consultation and coordination with key employees.
The Risk Alert also listed a number of best practice suggestions for firms to review and implement, including mandatory employee training.
NRS, recognizing that cybersecurity will continue to be an important element of SEC examinations, is finalizing a cybersecurity solution for firms that includes policies and procedures as well as technical services like “right-sized” penetration testing, vulnerability assessment, vendor risk management, and training. If you would like to learn more about this service offering or discuss any other compliance issues, please contact us today.