The SEC Office of Compliance Inspections and Examinations (“OCIE”) examined 75 broker-dealers, investment advisers and investment companies as part of its Cybersecurity 2 Initiative to assess industry practices concerning cybersecurity preparedness. OCIE National Examination Program staff reported an overall improvement in awareness of cyber-related risks and the implementation of certain cybersecurity practices since the OCIE’s Cybersecurity 1 Initiative.
According to the OCIE Risk Alert, the Cybersecurity 2 Initiative examinations focused on written policies and procedures, and included more testing of controls. Specifically, it addressed:
- governance and risk assessment;
- access rights and controls;
- data loss prevention;
- vendor management;
- training; and
- incident response.
Notably, the OCIE found that all broker-dealers, all funds, and nearly all advisers examined in the Cybersecurity 2 Initiative maintained written cybersecurity policies and procedures around the protection of customer/shareholder records. These findings contrasted with those of the Cybersecurity 1 examinations. The OCIE also found firms that were not “adhering to or enforcing” policies and procedures, and firms where guidance for employees was too general. The OCIE report included recommendations for improving controls in their respective cyber programs.
In a related white paper on cyber risk, the Bank for International Settlements Financial Stability Institute evaluated the regulatory and supervisory initiatives in a number of leading jurisdictions, including Hong Kong SAR, Singapore, the United Kingdom and the United States. The report reviewed supervisory approaches to assessing the cyber-risk vulnerability and resilience of banks. The paper also identified a trend toward “threat-informed” testing frameworks, which use threat intelligence to design simulated cyber attacks when testing the cybersecurity of an entity.