9 cybersecurity steps the SEC wants to see

By Kenneth Corbin

Published August 11, 2017 2:14 PM

|

Updated May 28, 2021 10:34 AM

1 Min Read

The Securities and Exchange Commission flag flies in front of a building.

The SEC has asked for feedback on the existing collection of information for Rule 15c2-12 on disclosure.

Bloomberg News

The SEC's cybersecurity punch list

The SEC has made no secret it expects advisors and brokers to ramp up their policies and procedures to guard against cyberattacks. Now, after a second wave of examinations focusing on firms' defenses, the commission's Office of Compliance Inspections and Examinations has produced a risk alert detailing the do's and don'ts for firms.

Know your weaknesses

OCIE examiners praise firms that have "taken a complete inventory" of their data and information assets, and identified the potential risks to their systems, including those that could arise from third-party vendors.

Stick to the plan

While almost every firm conducted some type of risk assessment, SEC examiners found that some were failing to adhere to their own policies. For example, many firms had policies calling for annual or ongoing security reviews, but in practice conducted those evaluations less frequently.

Make it specific

Too many firms seem to be relying on off-the-shelf checkbox compliance programs that are downloaded from the internet, OCIE examiners found. Some firms were relying on policies that were vague and not "reasonably tailored" to the firm's operations, meaning they were of limited value.

Set your staff straight

OCIE found that some firms "created contradictory or confusing instructions for employees" that could put cybersecurity concerns at odds with the business operations. In particular, the commission learned that some firms struggled with inconsistent policies governing remote client access and transferring funds.

Follow through on employee training

While firms typically required employees to undergo cybersecurity training, OCIE found that some did not actually ensure that those sessions were completed.

Keep technology up to date

Some firms were falling down on system maintenance, the OCIE reported. They used older, unpatched operating systems and failed to address the vulnerabilities identified in the penetration tests that they conducted.

Lock down access to systems and data

The firms that maintained strict policies governing who has access to what type of data were ahead of the game on cybersecurity, the OCIE found. Successful practices include "acceptable use" policies clarifying employees' responsibilities when using company systems, and promptly shutting down access for employees when they leave the firm.

Have a response plan

OCIE praised firms that had a plan for how to respond to a cyberattack. If hackers breach systems and compromise sensitive information, the firm can minimize the damage by having a protocol for what actions to take and whom to contact.

Set the tone from the top

OCIE indicated that members of a firm's senior management must be involved in vetting and approving cybersecurity policies and procedures. In other words, cybersecurity must be considered first and foremost a business priority.

Contributing Writer

Kenneth Corbin is a Financial Planning contributing writer in Boston and Washington. Follow him on Twitter at @kecorb.

Practice management

Practice structure

SEC regulations

MORE FROM FINANCIAL PLANNING

Know Your Niche

How an advisor reined in a niche with high-end horse owners

For our Know Your Niche series, Steve Mason, with Bank of America's Private Bank, has developed a client base out of horse lovers like himself.

By Brian Wallheimer
Editor-in-chief

1h ago
Industry News

Crediting 'same-store sales,' UBS is back in the black with new assets

After experiencing $14 billion in assets outflows in the last quarter of 2025, UBS brought in more than $5 billion in the first quarter of this year.

By Dan Shaw
Reporter

2h ago
Industry News

Cetera merges employee firms to form $19B RIA

The newly formed Cetera Planning Partners is part of the firm's plan to broaden its channel for advisors working as direct employees.

By Staff report

April 28
Regulation and compliance

Alpine to appeal latest defeat in challenge of FINRA's constitutionality

A federal judge finds that the embattled brokerage Alpine Securities' argument that FINRA should answer to the federal executive branch amounts to " wishful thinking" that "collapses under the weight of spiraling aspiration."

By Dan Shaw
Reporter

April 28
Wealth management

Edward Jones and American Funds: A 60-year revenue-sharing alliance

The firms' collaboration shines a light on how the wealth management business works today and how it is evolving, as advisors weigh independence against the risks of "poking the bear" when they leave.

By Tobias Salinger
Chief Correspondent

April 28
Investment strategies

Private credit is deliberately illiquid — did advisors explain that?

Matthew Pallai said he has no doubt wealth managers explained the risks of private credit when recommending it to clients, but the recent rush to withdraw money from credit funds suggests "they probably should have said it more often and said it louder."

By Dan Shaw
Reporter

April 27

Load More