September was a big month in cybersecurity. You’d have to be living under a rock to miss the headline grabbing breaches at Equifax, Deloitte, and yes, the SEC itself.
Equifax (billed by some to be the most impactful breach of all time) failed to patch a well-known vulnerability, Deloitte could have used 2-factor authentication and, well, the SEC is tasked with examining your cybersecurity policies and procedures.
So, if you thought cybersecurity compliance was a priority area for your fund before now, recent events have created a more urgent tone. With that comes a call for you to re-double your cybersecurity efforts. After all, the SEC is now having to re-double theirs.
The View From the SEC: Step-up Efforts to Mitigate Risk
Last month, the SEC acknowledged a hack of its EDGAR electronic filing system. The facts are still coming to light and we can expect that to continue as the SEC commits to its ongoing investigation. On September 20th, SEC Chairman Jay Clayton issued a statement that addresses the matter. In it, he said:
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic. We must be vigilant. We also must recognize in both the public and private sectors, including the SEC that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
The SEC’s challenge to practice what they preach may cause some to question credibility when advising and examining others, but in reality it will have no difference in how your cybersecurity assessment is approached. If anything it just serves to strengthen the reality of the threat and increase the fervor to step-up efforts to mitigate the risk.
And with that in mind, we turn to the findings of the most recent Risk Alert observations, which serve as an important point of reference for your continued focus on cybersecurity policies and procedures.
Cybersecurity Exam Findings: A Policy on the Books is Not Enough
In August 2017, just before the news of the SEC breach was made public, the Office of Compliance Inspections and Examinations (OCIE) issued a risk alert, entitled “Observations from Cybersecurity Examinations” which provides a summary of findings of registered broker-dealers and investment companies. This is the first real sight we have of results from the commission’s launch of the Cybersecurity 2 initiative.
Among the 75 firms examined, OCIE staff first noted an overall improvement in awareness of cyber related risks and the implementation of certain practices since the Cybersecurity 1 initiative, which was first launched back in 2014. Since then of course, cybersecurity has been named a National Examination Program priority, and has been a clear focus for the regulator.
It should be considered positive that firms have successfully strengthened their cybersecurity programs since the first round of findings, published in the February 2015 Risk Alert “Cybersecurity Examination Sweep Summary.”
The same could not quite be said for meeting the requirements outlined in the Cybersecurity 2 initiative.
This second round of examination criteria, published in September 2015, made it clear that adopting a policy but failing to monitor the on-going implementation and effectiveness of that policy, will be insufficient.
In summary, the OCIE found that while firms have made progressive steps toward cybersecurity policies and procedures in line with this, there is more to be done in the area of effective implementation. Of course, given that this is – and always has been – an arms race, there will always be more to be done.
This round of results follows the OCIE’s intent to further assess your cybersecurity preparedness to involve more testing on the implementation of procedures and controls. And that’s the challenge firms are facing today. A few highlighted issues from the August Risk Alert include:
- Tailoring: Policies and procedures were not reasonably tailored. Among other issues, many were found to be too narrowly scoped or vague, where they did not articulate procedures for implementing the policies.
- Enforcement: Firms did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms actual practices adequately.
- Required annual and ongoing reviews, in practice were performed infrequently, or not at all.
- There were contradictory or confusing instructions for employees, such as policies regarding remote customer access that appeared to be inconsistent with those for investor fund transfers, making it unclear to employees whether certain activity was permissible.
- System Maintenance and Reg – SP: The staff also observed Regulation S-P-related issues, that didn’t appear to adequately conduct system maintenance, such as the installation of software patches to address security vulnerabilities and other operational safeguards to protect customer records and information. Examples included:
- Stale Risk Assessments: using outdated operating systems that were no longer supported by security patches.
- Lack of Remediation Efforts: high-risk findings from penetration tests or vulnerability scans that did not appear to be fully remediated in a timely manner.
As noted in its most recent 2017 priorities, the OCIE will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those. To that end, the OCIE identified six elements that it recommends you consider adopting as part of compliance programs:
- Maintenance of an inventory of data, information and vendors along with classification of the related risks.
- Detailed cybersecurity policies and instructions relating to penetration testing, security monitoring and system auditing, access rights and data breach reporting.
- Maintenance of prescriptive schedules and processes for testing data integrity, including identifying risks, vulnerability scanning of IT infrastructure, and timely patch management.
- Established and enforced controls for access and monitoring, including acceptable use and mobile device policies, review of third-party vendors and termination of former employee systems access.
- Mandatory employee security training, covering all employees at on-boarding and periodically thereafter.
- Engaged senior management in the vetting, review and approval of policies and procedures.
Cybersecurity remains one of the top compliance risks for financial firms. What has become clear in the last 12 months, is that the need to proactively monitor, measure and document your cybersecurity posture and policies is a key requirement.
The SEC continues to share its focus areas and provides detailed guidance for internal review and action to ensure you are prepared for, and focused on, these cybersecurity needs. As time goes by, and cybersecurity policies mature, it stands to reason that The OCIE will not be light-handed on non-compliant firms during examinations.
To find out more about how the Bipsync platform can help support a robust compliance and cybersecurity program at your firm, get in touch.