OCIE Evaluates Cybersecurity in the Securities Industry

In February, the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”)released a risk alert regarding the cybersecurity preparedness of the securities industry. OCIE examined 57 registered broker-dealers and 49 registered investment advisers as a part of its “Cybersecurity Examination Initiative” that was announced in the spring of 2014.

OCIE collected information from these firms regarding risks related to cybersecurity policies, remote access to client funds, designations of Chief Information Security Officers (“CISO”) and third party vendors. Key findings of the examinations are discussed below:

  1. Written Cybersecurity Policies

The vast majority of examined broker-dealers and registered investment advisers adopted written cybersecurity policies. However, only half of registered investment advisers had written policies in business continuity plans to counteract cybersecurity attacks. Most firms did not address who would be held responsible for client losses. Only 9% of investment advisers offered security guarantees for client losses. Advisers and broker-dealers should review their business continuity policies and consider any relevant updates with respect to cybersecurity issues.

  1. Role of Third Party Vendors

OCIE focused on the examined firms’ monitoring of third party vendors that have access to firm networks. 32% of investment advisers required third party vendors to conduct “cybersecurity risk assessments” and only 24% had cybersecurity requirements in their contracts. In contrast, almost 75% of broker-dealers had cybersecurity requirements in their third party vendor contracts. OCIE considers sharing of information with vendors to increase the likelihood of cyber-related incidents. Investment advisers should consider following the lead of these broker-dealers and include cybersecurity requirements in their third party vendor contracts.

  1. CISO or Chief Technology Officer (“CTO”)

Whether a firm designated a CISO or a CTO tended to vary on the type of firm: 68% of broker-dealers versus 30% of registered investment advisers identified a CISO. Registered investment advisers typically assigned CISO duties to a CCO or CTO.  Though compliance will naturally be involved in cybersecurity policies for financial firms, given the complexity of these issues, technology experts should be more deeply and substantively involved.

  1. Cybersecurity Incidents

About 75% of both broker-dealers and registered investment advisers that were examined had experienced a cybersecurity incident. The most common issues involved fraudulent emails or malware.   The fraudulent emails, in particular, should be considered a serious issue, given the Regulation S-ID requirements that became effective in May 2013 for SEC-registered investment advisers and others registered with the Commodity Futures Trading Commission. Read our article on this topic here.

Almost all examined firms had written policies in place, but 25% of broker-dealers cited employees not following procedures as a reason for losses, highlighting the importance of initial and ongoing training for all employees on key points of the policies.  Consider holding a separate, more detailed training for those involved in client services, finance and other areas more likely to be on the front lines of a cyber-attack.

Even the smallest client loss, reimbursed by the firm, can damage its relationship with the client in question; a series of losses or other failures could erode confidence across the client base and invite regulatory scrutiny.  Firms should be proactive in not only adopting policies, but emphasize training, monitoring and reevaluating policies in light of evolving threats.

  1. Final Thoughts

Many firms modeled cybersecurity policies and procedures on published works by the National Institute of Standards and Technology, the International Organization for Standardization and the Federal Financial Institutions Examination Council. Additionally, many firms considered industry organizations as means to gain more information about cybersecurity risks.

The OCIE risk alert highlights the cybersecurity priorities for OCIE and current industry practices. Investment advisers should recognize that cybersecurity testing will likely become a part of standard OCIE examinations in the future.  Proper cybersecurity requires ongoing monitoring, robust training and possibly expensive IT infrastructure. However, firms must consider their duty to safeguard client information and assets. The time and money spent on cybersecurity can prevent a loss of client trust and a firm’s reputation.

123 thoughts on “OCIE Evaluates Cybersecurity in the Securities Industry

  1. Title

    […]Wonderful story, reckoned we could combine several unrelated information, nonetheless genuinely worth taking a appear, whoa did 1 master about Mid East has got much more problerms at the same time […]

  2. Title

    […]that will be the finish of this article. Right here you’ll find some internet sites that we feel you will appreciate, just click the hyperlinks over[…]

  3. Title

    […]that would be the finish of this post. Here you’ll obtain some web sites that we consider you’ll appreciate, just click the links over[…]

  4. Title

    […]although web sites we backlink to below are considerably not related to ours, we really feel they may be actually worth a go as a result of, so possess a look[…]

  5. Title

    […]we like to honor quite a few other world-wide-web web sites around the net, even if they aren’t linked to us, by linking to them. Beneath are some webpages really worth checking out[…]

  6. Title

    […]that could be the finish of this write-up. Here you’ll uncover some web-sites that we consider you’ll appreciate, just click the hyperlinks over[…]

  7. Title

    […]very handful of sites that come about to be comprehensive below, from our point of view are undoubtedly effectively really worth checking out[…]

  8. Title

    […]we like to honor several other world-wide-web internet sites on the internet, even if they aren’t linked to us, by linking to them. Under are some webpages really worth checking out[…]

  9. Title

    […]very couple of web-sites that happen to become comprehensive below, from our point of view are undoubtedly very well really worth checking out[…]

  10. Title

    […]we like to honor many other web websites on the internet, even if they aren’t linked to us, by linking to them. Below are some webpages worth checking out[…]

Comments are closed.