Expect Focus Life Insurance, September 2017

OCIE Lessons From Cybersecurity 2 Initiative

Cybersecurity and Privacy   |   Financial Services Regulatory   |   Life, Annuity, and Retirement Solutions   |   Technology   |   September 26, 2017
Share Page

On August 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert containing observations from its Cybersecurity 2 Exam Initiative. As a follow-up to the 2014 Cybersecurity 1 initiative, the Cybersecurity 2 Initiative examined the cybersecurity preparedness of 75 SEC-registered broker-dealers, investment advisers, and investment companies (funds) for the period of October 2014 through September 2015. In its report, OCIE identified issues of continuing concern, and articulated some best practices recommendations.

Overall, OCIE noted an observable increase in examined firms’ cybersecurity preparedness in comparison to the prior examination. All broker-dealers, all funds, and nearly all investment advisers now maintain written cybersecurity policies and procedures. To varying degrees, a majority or many of the examined firms: conduct periodic risk assessments; conduct penetration tests and vulnerability scans (although they did not always remediate the weaknesses identified); have tools to prevent, detect, and monitor data loss; maintain processes to ensure regular system maintenance (although patches are not always installed immediately); maintain cybersecurity organizational charts; have obtained authorization from customers and/or shareholders to transfer funds to third-party accounts; and require vendor risk assessments or risk management and performance reports.

Despite that progress, OCIE highlighted three persistent issues. First, policies and procedures are often not reasonably tailored to the firm or risk, instead offering general or vague guidance and limited examples of appropriate safeguards. Next, firms maintain policies and procedures but neglect to meaningfully enforce compliance with them, or such policies and procedures fail to accurately reflect the firms’ actual practices. For instance, annual reviews are not conducted annually, ongoing reviews of security protocols are conducted only annually, or firms fail to ensure that employees attend required cybersecurity trainings. Finally, firms failed to adequately maintain their systems as related to Regulation S-P, for example by neglecting to install software security patches, using outdated operating systems, or not conducting appropriate remediation efforts in response to risk assessments.

The risk alert concluded with OCIE’s identification of so-called "robust" policies and procedures for firms to consider, including:

  • maintaining a complete inventory of data, information, and vendors;
  • maintaining detailed instructions regarding penetration tests, security monitoring, system auditing, rights of access to information, reporting, and other cybersecurity-related protections;
  • maintaining strict processes regarding data integrity and vulnerability tests, including prescriptive testing schedules, beta-tests of security patches and other solutions, and prioritization of corrective actions for identified vulnerabilities;
  • establishing data and system access controls and enforcing those controls;
  • imposing mandatory employee training requirements and instituting procedures to ensure those training requirements are satisfied; and
  • maintaining active engagement by senior management officials with all cybersecurity policies and procedures from formulation to enforcement.

While OCIE emphasized these policies as options to consider to improve cybersecurity preparedness, throughout the risk alert it noted that the examinations revealed that untailored policies or general guidance were causes for concern. Affected firms in the industry should not expect that blindly adopting the best practices identified by OCIE will constitute a safe harbor, nor necessarily constitute the most secure approach for every individual firm. Firms should conduct thorough reviews of their policies and procedures in light of their everyday practices, individual circumstances, and current and developing threats to assess their cybersecurity preparedness. Reliance on off-the-shelf and generic boilerplate language is insufficient. This recent initiative built on the Cybersecurity 1 Initiative and involved more validation and testing of procedures and controls. Registered entities should prepare for additional validation and testing in any future SEC examination initiatives.

©2020 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.