On August 7, the Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert summarizing the results of its second cybersecurity preparedness examination. The examination, which OCIE conducted in 2015-2016, covered a one-year period beginning in October 2014 and surveyed 75 regulated broker-dealers, investment advisers and funds. OCIE's report observed that financial firms had increased their cybersecurity preparedness since OCIE's previous cybersecurity examination, the results of which were released in February 2015. However, OCIE also found that there were numerous areas where firms could improve their cybersecurity compliance and oversight.

OCIE's report highlighted various improvements in the industry since the previous examination. Notably, all of the examined broker-dealers and funds, and nearly all of the examined advisers, maintained written cybersecurity policies and procedures regarding protecting customer/shareholder information and records. Further, the vast majority of examined firms conducted periodic cybersecurity risk assessments. Additionally, all of the examined firms had implemented some way of preventing, detecting and monitoring data loss pertaining to personally identifiable information. The report also noted that the majority of examined firms engaged in penetration testing and conducted vulnerability scans, obtained or conducted vendor risk assessments, and had a process for ensuring regular system maintenance.

Despite these positive findings, OCIE observed that the "vast majority" of examined firms had one or more cybersecurity deficiencies to address. In particular, OCIE observed that many firms' cybersecurity policies and procedures were "not reasonably tailored" because, for example, "they provided employees with only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague, as they did not articulate procedures for implementing the policies." Further, OCIE observed that firms "did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms' actual practices." (OCIE noted, for example, that some firms failed to perform ongoing security reviews and/or ensure that all employees completed cybersecurity awareness training.) OCIE also found that some firms lacked procedures needed to address Regulation S-P, which governs the privacy of consumer financial information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.