October 1, 2017
Recently the SEC recently concluded its second cybersecurity exam initiative of investment advisers, broker-dealers and investment companies. The examinations focused on the firms’ written policies and procedures regarding cybersecurity, including validating and testing that such policies and procedures were implemented and followed.
In addition, the SEC sought to better understand how firms managed their cybersecurity preparedness by focusing on the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.
Summary of Examination Observations
In the examinations, the SEC staff observed:
- Nearly all broker-dealers and the vast majority of advisers and funds conducted periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences of a cyber incident.
- Nearly all broker-dealers and almost half of the advisers and funds conducted penetration tests and vulnerability scans on systems that the firms considered to be critical, although a number of firms did not appear to fully remediate some of the high risk observations that they discovered from these tests and scans during the review period.
- All firms utilized some form of system, utility, or tool to prevent, detect, and monitor data loss as it relates to personally identifiable information.
- All broker-dealers and nearly all advisers and funds had a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, the staff observed that a few of the firms had a significant number of system patches that, according to the firms, included critical security updates that had not yet been installed.
- Information protection programs at the firms typically included relevant cyber-related topics, such as:
- Policies and procedures. Nearly all firms’ policies and procedures addressed cyber-related business continuity planning and Regulation S-P. In addition, nearly all broker-dealers and most advisers and funds had specific cybersecurity and Regulation S-ID policies and procedures.
- Response plans. Nearly all of the firms had plans for addressing access incidents. In addition, the vast majority of firms had plans for denial of service incidents and unauthorized intrusions. However, while the vast majority of broker-dealers maintained plans for data breach incidents and most had plans for notifying customers of material events, less than two- thirds of the advisers and funds appeared to maintain such plans.
- All broker-dealers and a large majority of advisers and funds maintained cybersecurity organizational charts and/or identified and described cybersecurity roles and responsibilities for the firms’ workforce.
- The vast majority of broker-dealers and nearly two-thirds of the advisers and funds had authority from customers/shareholders to transfer funds to third party accounts.
- Almost all firms either conducted vendor risk assessments or required that vendors provide the firms with risk management and performance reports (i.e., internal and/or external audit reports) and security reviews or certification reports. While vendor risk assessments are typically conducted at the outset of a relationship, over half of the firms also required updating such risk assessments on at least an annual basis.
Highlighted below are issues the SEC staff believes firms would benefit from considering in order to assess and improve their policies, procedures, and practices:
- While, as noted above, all broker-dealers and funds, and nearly all advisers maintained written policies and procedures addressing cyber-related protection of customer/shareholder records and information, a majority of the firms’ information protection policies and procedures appeared to have issues. Examples included:
- Policies and procedures were not reasonably tailored because they provided employees with only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague, as they did not articulate procedures for implementing the policies.
- Firms did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices, such as when the policies:
- Required annual customer protection reviews; however, in practice, they were conducted less frequently.
- Required ongoing reviews to determine whether supplemental security protocols were appropriate; however, such reviews were performed only annually, or not at all.
- Created contradictory or confusing instructions for employees, such as policies regarding remote customer access that appeared to be inconsistent with those for investor fund transfers, making it unclear to employees whether certain activity was permissible.
- Required all employees to complete cybersecurity awareness training; however, firms did not appear to ensure this occurred and take action concerning employees who did not complete the required training.
- The staff also observed Regulation S-P-related issues among firms that did not appear to adequately conduct system maintenance, such as the installation of software patches to address security vulnerabilities and other operational safeguards to protect customer records and information. Examples included:
- Stale Risk Assessments. Using outdated operating systems that were no longer supported by security patches.
- Lack of Remediation Efforts. High-risk findings from penetration tests or vulnerability scans that did not appear to be fully remediated in a timely manner.
Elements of Robust Policies and Procedures
The SEC also stressed that firms may wish to consider the following elements as they could be useful in the implementation of cybersecurity-related policies and procedures:
- Maintenance of an inventory of data, information, and vendors. Policies and procedures included a complete inventory of data and information, along with classifications of the risks, vulnerabilities, data, business consequences, and information regarding each service provider and vendor, if applicable.
- Detailed cybersecurity-related instructions. Examples included:
- Penetration tests – policies and procedures included specific information to review the effectiveness of security solutions.
- Security monitoring and system auditing – policies and procedures regarding the firm’s information security framework included details related to the appropriate testing methodologies.
- Access rights – requests for access were tracked, and policies and procedures specifically addressed modification of access rights, such as for employee on-boarding, changing positions or responsibilities, or terminating employment.
- Reporting – policies and procedures specified actions to undertake, including who to contact, if sensitive information was lost, stolen, or unintentionally disclosed/misdirected.
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities. Examples included:
- Vulnerability scans of core IT infrastructure were required to aid in identifying potential weaknesses in a firm’s key systems, with prioritized action items for any concerns identified.
- Patch management policies that included, among other things, the beta testing of a patch with a small number of users and servers before deploying it across the firm, an analysis of the problem the patch was designed to fix, the potential risk in applying the patch, and the method to use in applying the patch.
- Established and enforced controls to access data and systems. For example, the firms:
- Implemented detailed “acceptable use” policies that specified employees’ obligations when using the firm’s networks and equipment.
- Required and enforced restrictions and controls for mobile devices that connected to the firms’ systems, such as passwords and software that encrypted communications.
- Required third-party vendors to periodically provide logs of their activity on the firms’ networks.
- Required immediate termination of access for terminated employees and very prompt (typically same day) termination of access for employees that left voluntarily.
- Mandatory employee training. Information security training was mandatory for all employees at on-boarding and periodically thereafter, and firms instituted policies and procedures to ensure that employees completed the mandatory training.
- Engaged senior management. The policies and procedures were vetted and approved by senior management.