Stick to the plan
While almost every firm conducted some type of risk assessment, SEC examiners found that some were failing to adhere to their own policies. For example, many firms had policies calling for annual or ongoing security reviews, but in practice conducted those evaluations less frequently.
Make it specific
Too many firms seem to be relying on off-the-shelf checkbox compliance programs that are downloaded from the internet, OCIE examiners found. Some firms were relying on policies that were vague and not "reasonably tailored" to the firm's operations, meaning they were of limited value.
Set your staff straight
OCIE found that some firms "created contradictory or confusing instructions for employees" that could put cybersecurity concerns at odds with the business operations. In particular, the commission learned that some firms struggled with inconsistent policies governing remote client access and transferring funds.