Last week, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert that summarized findings from the agency’s examinations of the practices employed by financial service firms to address cybersecurity risks.
The focus and results of the OCIE’s evaluation offer firms insight into the types of information security and cybersecurity practices that the SEC considers key to helping organizations manage cyber threats and mitigate the effects of cybersecurity incidents. The survey also confirmed that financial firms remain an attractive target for hackers. The OCIE assessment found that 88% of broker-dealers and 74% of advisers have experienced cybersecurity incidents (usually related either to malware or fraudulent emails) directly or through vendors.
The OCIE conducted the examinations in connection with its Cybersecurity Examination Initiative. The initiative was designed to assess cybersecurity preparedness in the securities industry and to gather information about the industry’s recent experiences with cyber threats. OCIE staff interviewed fifty-seven registered broker-dealers and forty-nine registered investment advisers.
The examination suggests that the SEC considers the following practices to be key to helping organizations manage cyber threats and mitigate the effects of cybersecurity incidents:
- Maintaining written information security policies that:
- outline the firm’s plans to recover from cybersecurity incidents;
- mitigate effects of such incidents;
- address the firm’s responsibility for client losses associated with cyber attacks;
- are based on cybersecurity risk management standards, such as those published by the National Institute of Standards and Technology, the International Organization for Standardization, or the Federal Financial Institutions Examination Council;
- Conducting firm-wide periodic risk assessments that identify:
- cybersecurity threats and vulnerabilities; and
- potential business consequences of cyber attacks;
- Training employees on the firm’s cybersecurity policies, including raising awareness of social engineering attacks and following proper identity authentication policies;
- Participating in cyber threat information sharing networks, such as FS-ISAC;
- Conducting firm-wide inventory, cataloguing or mapping of firm’s technology resources, including logging capabilities and practices;
- Implementing cybersecurity elements in the firm’s vendor management program;
- Using encryption mechanisms to protect data;
- Educating clients on the protection of sensitive information;
- Designating a business function to oversee the firm’s cybersecurity efforts, such as a Chief Information Security Officer; and
- Conducting periodic audits to determine the firm’s compliance with its information security policies.
Organizations regulated by the SEC should evaluate their cybersecurity practices and adjust them, as appropriate, to align with the guidance offered by the OCIE examination, as well as by the Commission and the Financial Industry Regulatory Authority. Notably, both agencies made cybersecurity a priority for 2015.