The SEC's cybersecurity punch list
The SEC has made no secret it expects advisors and brokers to ramp up their policies and procedures to guard against cyberattacks. Now, after a second wave of examinations focusing on firms' defenses, the commission's Office of Compliance Inspections and Examinations has produced a risk alert detailing the do's and don'ts for firms.
Know your weaknesses
OCIE examiners praise firms that have "taken a complete inventory" of their data and information assets, and identified the potential risks to their systems, including those that could arise from third-party vendors.
Stick to the plan
While almost every firm conducted some type of risk assessment, SEC examiners found that some were failing to adhere to their own policies. For example, many firms had policies calling for annual or ongoing security reviews, but in practice conducted those evaluations less frequently.
Make it specific
Too many firms seem to be relying on off-the-shelf checkbox compliance programs that are downloaded from the internet, OCIE examiners found. Some firms were relying on policies that were vague and not "reasonably tailored" to the firm's operations, meaning they were of limited value.
Set your staff straight
OCIE found that some firms "created contradictory or confusing instructions for employees" that could put cybersecurity concerns at odds with the business operations. In particular, the commission learned that some firms struggled with inconsistent policies governing remote client access and transferring funds.
Follow through on employee training
While firms typically required employees to undergo cybersecurity training, OCIE found that some did not actually ensure that those sessions were completed.
Keep technology up to date
Some firms were falling down on system maintenance, the OCIE reported. They used older, unpatched operating systems and failed to address the vulnerabilities identified in the penetration tests that they conducted.
Lock down access to systems and data
The firms that maintained strict policies governing who has access to what type of data were ahead of the game on cybersecurity, the OCIE found. Successful practices include "acceptable use" policies clarifying employees' responsibilities when using company systems, and promptly shutting down access for employees when they leave the firm.
Have a response plan
OCIE praised firms that had a plan for how to respond to a cyberattack. If hackers breach systems and compromise sensitive information, the firm can minimize the damage by having a protocol for what actions to take and whom to contact.
Set the tone from the top
OCIE indicated that members of a firm's senior management must be involved in vetting and approving cybersecurity policies and procedures. In other words, cybersecurity must be considered first and foremost a business priority.