OCIE Finds Increased Cybersecurity But Wants More
The SEC’s Office of Compliance Inspections and Evaluations on August 7 made public its observations from its most recent round of cybersecurity exams – and what it found is encouraging only to a point. The message delivered by OCIE in its National Exam Program risk alert was this: Advisory firms, broker-dealers and investment companies have made strides in providing cybersecurity, but there is still a long way to go.
OCIE examined 75 firms under its Cybersecurity 2 Initiative, begun in 2015. These exams involved more validation and testing of procedures and controls related to cybersecurity than the agency’s 2014 Cybersecurity 1 Initiative.
What the exam staff found in Cybersecurity 2 was definite progress, but shortfalls. "In general, the staff observed increased cybersecurity preparedness since our 2014 Cybersecurity I Initiative (ACA Insight, 2/9/15)," OCIE said in the risk alert. "However, the staff also observed areas where compliance and oversight could be improved."
"It’s good to see that OCIE noticed improvements since the 2014 examinations," said ACA Aponix partner Raj Bakhru. "It was interesting that they noted that the vast majority of the examinations still resulted in one or more issues found. Our experience has also been that most firms have taken a number of steps since OCIE’s initial risk alert."
While the progress is encouraging, said Eversheds-Sutherland partner Brian Rubin, "firms need to be vigilant and keep modifying their approaches as they make further improvements."
The six-page risk alert provides an overview of OCIE’s observations, including issues it observed and suggestions for what firms should consider including in their policies and procedures.
Suggestions or prescriptions?
The SEC historically tends to avoid being prescriptive in its guidance. While there are no "do this" or "do that" statements in this risk alert, OCIE comes close to prescribing actions in several areas. For instance, it lists a number of policy and procedure elements that examiners found some firms effectively using, and suggests that other firms "consider" using them. It does the same with a list of issues that it believes "firms would benefit from considering."
"Everyone should be going through these lists and seeing what they have and don’t have," said Mayer Brown partner Jeffrey Taft. On the other hand, he said, not all the suggestions are right for all firms, given difference in, for instance, firm size, resources and cybersecurity risk assessment.
Policy and procedure elements
Among the items that OCIE wants advisers, funds and broker-dealers to consider are the following specific policy and procedure elements that it said a majority of those it examined were effectively using.
Maintenance of an inventory of data, information and vendors. "Policies and procedures included a complete inventory of data and information, along with classifications of the risks," OCIE said.
Detailed cybersecurity-related instructions. OCIE suggested specific examples, such as detailed instructions for penetration tests, security monitoring and auditing, access rights tracking, and reporting when sensitive information is lost, stolen or disclosed.
Maintenance of prescriptive schedules and processes for data integrity and vulnerability testing. The risk alert notes that some firms require vulnerability scans of core IT infrastructure to "aid in identifying potential weaknesses in a firm’s key systems, with prioritized action items for any concerns identified." It also said that some firms beta test patches with a small number of users and servers before deploying them across the firm, with an analysis of the problem the patch was designed to fix, the potential risk in applying the patch, and the method to use in applying it.
Established and enforced controls to access data and systems. As examples, OCIE noted that it observed that some firms put in place "acceptable use" policies that specified employee obligations when using a firm’s networks and equipment; required and enforced restrictions and controls, such as passwords and encryption software, for mobile devices that connected to the firm’s systems; required third-party vendors to periodically provide logs of their activity on the firm’s networks; and required immediate termination of access for terminated employees and very prompt (typically same day) termination of access for employees who left voluntarily.
Mandatory employee training. "Information security training was mandatory for all employees at on-boarding and periodically thereafter, and firms instituted policies and procedures to ensure that employees completed the mandatory training," OCIE said.
Engaged senior management. Effective firms had their policies and procedures vetted and approved by senior managed.
Issues requiring action
Examiners also found situations where firms were not taking what it considers needed action. These are issues that "the staff believes firms would benefit from considering." They include:
Policies and procedures were not reasonably tailored. The policies and procedures here provided employees with "only general guidance, identified limited examples of safeguard for employees to consider, were very narrowly scoped, or were vague, as they did not articulate procedures for implementing the policies."
Implementation. "Firms did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices." The risk alert provided several examples. Among them, it said that the annual customer protection reviews were performed less frequently than required; that ongoing reviews to determine whether supplemental security protocols were appropriate were performed only annually or "not at all;" that "contradictory or confusing instructions for employees," such as for customer access, were inconsistent with instructions for investor fund transfers; and that failing to ensure that all employees complete required cybersecurity training.
Separately, examiners found Regulation S-P issues among firms that "did not appear to adequately conduct system maintenance, such as the inability of software patches to address security vulnerabilities and other operational safeguards to protect customer records and information." As examples, the risk alert says that examiners found "stale risk assessments" with firms using "outdated operating systems that were no longer supported by security patches;" and a "lack of remediation efforts" by firms after penetration tests or vulnerability scans "did not appear to be full remediated in a timely manner."
Despite the above, examiners did find that firms had made progress in cybersecurity, with the most notable progress being that "all broker-dealers, all funds and nearly all advisers examined maintained cybersecurity-related written policies and procedures addressing the protection of customer/shareholder records and information." This finding, it said, contrasted with its Cybersecurity 1 observation that "comparatively fewer broker-dealers and advisers had adopted this type of written policies and procedures."
"In some respects, broker-dealers appear to be doing a better job than advisers," said Rubin. "For example, while the vast majority of broker-dealers have mapped out steps they will take if they are breached, fewer than two-thirds of advisers and funds had similar plans."
Here are some of OCIE’s more specific observations from its Cybersecurity 2 Initiative:
Risk assessments. Nearly all broker-dealers and the "vast majority" of advisers and funds conducted periodic risk assessments of critical systems to identify cyber threats, vulnerabilities and potential business consequences of a cyber incident.
Penetration tests. "Nearly all broker-dealers and almost half of the advisers and funds conducted penetration tests and vulnerability scans on systems that the firms considered to be critical." That said, OCIE also noted that "a number of firms did not appear to fully remediate some of the high risk observations that they discovered."
Data loss tools. Some form of system, utility or tool was used by all the firms examined to "prevent, detect and monitor data loss as it relates to personally identifiable information."
System maintenance. While all broker-dealers and "nearly all" advisers and funds had a process in place to ensure regular system maintenance, including the installation of software patches to address security vulnerabilities, the staff did find some problems. Specifically, examiners "observed that a few of the firms had a significant number of system patches that, according to the firms, included critical security updates that had not yet been installed."
Response plans. Nearly all the firms examined had plans for addressing access incidents and the vast majority had plans for denial of service incidents and unauthorized intrusions. When it came to plans for data breach incidents or notifying customers of material events, however, advisory firms and funds fell short. While the vast majority of broker-dealers maintained such plans, OCIE said, "less than two-thirds of the advisers and funds appeared to maintain such plans."
Operational charts. Cybersecurity organizational charts or other methods of identifying and describing cybersecurity roles and responsibilities were maintained by all broker-dealers and a large majority of advisers and investment companies.
Vendor risk assessments. "Almost all firms either conducted vendor risk assessments or required that vendors provide the firms with risk management and performance reports," such as internal and/or external audit reports and security reviews or certification reports. However, OCIE observed, "while vendor risk assessments are typically conducted at the outset of a relationship, over half of the firms also required updating such risk assessments on at least an annual basis."