The results of the most recent SEC OCIE cybersecurity examinations have led the regulatory body to release a new Risk Alert.
The U.S. SEC Office of Compliance, Inspections and Examinations (OCIE) recently carried out a new round of cybersecurity examinations. These latest SEC OCIE cybersecurity examinations involved 75 regulated firms, and were designed to validate their cybersecurity preparedness. With an additional focus on testing procedures and controls, the examinations uncovered disparities between what firms had documented, and what was actually being carried out on a day-to-day basis.
In this blog, we’ll take a look at the key findings of the SEC OCIE cybersecurity examinations.
SEC OCIE Cybersecurity Examinations
In August, a Risk Alert was issued following the conclusion of the SEC OCIE cybersecurity examinations. The Risk Alert summarised how the SEC OCIE examiners sought to understand regulated firms’ cybersecurity preparedness in terms of: –
- Governance and risk assessment
- Access rights and controls
- Data loss prevention
- Vendor management
- Incident response
Examiners noted that firms’ cybersecurity preparedness had improved since the initial SEC OCIE cybersecurity examinations in 2014. Over the course of the examinations, the following key observations were made: –
- The majority of examined firms conducted periodic risk assessments to identify cybersecurity threats and vulnerabilities.
- Many firms conducted penetration tests on critical systems. However, some didn’t mitigate risks that these tests uncovered.
- All firms utilised data loss prevention tools to safeguard personally identifiable information.
- Most firms carried out regular scheduled maintenance, including security patching. Some firms, however, had failed to install critical security updates.
- Nearly all firms had cybersecurity policies and procedures, along with incident response plans. However, many of these plans were not maintained.
- Almost all firms had organisational charts that described cybersecurity roles and responsibilities.
- Most firms had the authority from clients and shareholders to transfer funds to third party accounts.
- Almost all firms carried out vendor risk assessments.
Overall, the examined firms demonstrated an improved cybersecurity risk posture following the 2014 examinations. However, some key weaknesses were also observed in many of the firms.
The examiners noted some recurrent themes in the 75 firms that they assessed. These were summarised in the SEC OCIE Risk Alert as follows: –
- Cybersecurity policies and procedures often contained only general guidance, with little explanation regarding their implementation.
- Firms often failed to enforce their policies and procedures, especially in terms of client protection reviews, security protocol reviews, cybersecurity awareness training, and contradictory or confusing instructions for employees.
- There was a lack of remediation efforts by firms with weaker system maintenance and penetration testing programs.
To address these weaknesses, the Risk Alert provides some key areas for firms to consider: –
- Develop an inventory of data, information, and vendors, with a classification of risks associated with each one.
- Implement detailed cybersecurity instructions, including penetration tests, security monitoring and system auditing, access rights, and reporting.
- Maintain regular vulnerability testing and scheduled maintenance.
- Produce and enforce an acceptable use policy, which defines and controls how users access applications and data.
- Make employee security awareness training mandatory.
- Engage with senior management.
Security Risk Management
The SEC OCIE cybersecurity examinations have established that regulated firms have some way to go before meeting the required levels of preparedness. Capital Support’s Security Risk Management service helps firms understand how to meet SEC OCIE standards. Contact us to learn more.