anton4.jpg

SEC Issues Risk Alert with Cybersecurity Sweep Examinations Summary

On February 3, 2015, the SEC released their long-awaited Risk Alert reviewing the results of OCIE's cybersecurity sweep examinations in 2014 that followed their April 2014 Risk Alert on cybersecurity issues. OCIE's sweep examinations covered 57 registered broker-dealers and 49 registered investment advisers with respect to cybersecurity practices at those firms.

The Staff performed these examinations to better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues associated with cybersecurity and to assess the examined firms' vulnerability to cyber-attacks.

The examined firms varied in size and types of clients and services, and were selected to provide data from a cross-section of the financial services industry. On the RIA side, approximately 36.7% of advisers examined had less than $400 million in Assets Under Management (AUM), 26.5% managed $401-900 million AUM and 36.7% managed $900 or more million. The largest percentage (67.3%) of those examined were retail or individuals, followed by private funds (14.3%). Diversified/institutional, pension and Registered Investment Companies encompassed the remaining 32.7% of client type. Most of those advisers (67%) examined were also found to have custody.

On the broker dealer side, of the 57 examined firms, approximately 28% have 501-2000 registered representatives, followed by 22.8% having 51-200 registered reps. The rest of the population was comprised of those firms with 0-50, 201-500 and 2001-5000+ registered representatives. With respect to category and peer group, the examined firms included a large portion of retail brokerage (37%).

During their examinations, the Staff collected and analyzed information relating to the firms' practices for: identifying risks related to cybersecurity; establishing cybersecurity governance, including policies, procedures, and oversight processes; protecting firm networks and information; identifying and addressing risks associated with remote access to client information and funds transfer requests; identifying and addressing risks associated with vendors and other third parties; and detecting unauthorized activity.

In addition to reviewing firm documents, the staff interviewed key personnel to discuss the firms' business and operations; detection and impact of cyber-attacks; preparedness for cyber-attacks; training and policies relevant to cybersecurity; and protocol for reporting cyber breaches.

The examinations did not include reviews of technical sufficiency of the firms' programs.

Summarized below are the main examination findings:

  • 93% of broker-dealers and 83% of advisers have adopted written information security policies.
  • 89% of the broker-dealers and 57% of the advisers conduct periodic audits to determine compliance with these information security policies and procedures.
  • Written policies and procedures generally do not address how firms determine whether they are responsible for client losses associated with cyber incidents.
  • 88% of broker-dealers and 53% of advisers are utilizing external standards and other resources to model their information security architecture and processes. The Staff specifically identified the following: National Institute of Standards and Technology ("NIST"), the International Organization for Standardization ("ISO"), and the Federal Financial Institutions Examination Council ("FFIEC").
  • The vast majority of examined firms (93% of broker-dealers and 79% of advisers) conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences.
  • Fewer firms apply these requirements to their vendors. Nevertheless, 84% of broker-dealers and 32% of the advisers require cybersecurity risk assessments of vendors with access to their firms' networks.
  • Most of the examined firms reported that they have been the subject of a cyber-related incident. The majority of the cyber-related incidents were related to malware and fraudulent emails.
  • Many examined firms identify best practices through information-sharing networks.
  • The vast majority of examined firms report conducting firm-wide inventorying, cataloguing, or mapping of their technology resources. The Staff noted that firms typically performed this for physical devices and systems; software platforms and applications; network resources, connections, and data flows; connections to firm networks from external sources; hardware, data, and software; and logging capabilities and practices.
  • The examined firms' cybersecurity risk policies relating to vendors and business partners revealed varying findings. For example, broker-dealers were much more likely to incorporate requirements relating to cybersecurity risk into their contracts with vendors and business partners (72%) than advisers (24%).
  • 82% of broker-dealers and 51% of advisers have written business continuity plans that address the impact of cyber-attacks or intrusions.
  • Almost all the examined broker-dealers (98%) and advisers (91%) make use of encryption in some form.
  • Many examined firms provide their clients with suggestions for protecting their sensitive information.
  • The designation of a Chief Information Security Officer ("CISO") varied by the examined firms' business model.
  • Cybersecurity insurance was not typically carried by the examined firms. While just over half of the broker-dealers maintain insurance for cybersecurity incidents (58%), only 21% of the advisers maintain insurance that covers losses and expenses attributable to cybersecurity incidents.

As recently indicated in OCIE's 2015 examination priorities, the Staff will continue to focus on firms' cybersecurity compliance and controls. Accordingly, firms would be well advised to see whether their cyber-related practices, policies and controls are consistent with current market practices (e.g., most firms have adopted written information security policies). Failing to do so, or not making improvements that would address cyber threats and risks, will expose such firms to deficiency findings by the Staff.

SEC3 can assist your firm in assessing and improving your cybersecurity policies and controls. For further information, please contact your regular SEC3 representative or contact us at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

Newsletter

Get the latest compliance news and insights - delivered weekly. The SEC3 Communique covers all compliance topics. CCO3 focuses on CCO topics.
tip: check both to keep informed!

Communiques

Pre-Dating & Back-Dating are Equally Risky

The SEC today suspended three accountants formerly of BDO USA LLP for improper professional conduct during its 2013 audit of AmTrust Financial Services Inc., an exchange-listed insurance company. According to the... read more »

Fiduciary Duty

On Friday, September 28, 2018 the SEC charged LendingClub Asset Management (LCA) and its former president Renaud Laplanche with fraud for improperly using fund money to benefit LendingClub Corporation (LendingClub),... read more »

Exciting Summer Project -- Dig Into Some Sand or Dig Into Your Firm's Best Ex Pr…

The Office of Compliance Inspections and Examinations (OCIE) issued a risk alert July 11 targeting investment advisers’ most common deficiencies with regard to their best execution obligations under the Investment... read more »

SEC Adopts Fund Liquidity Reporting and Disclosure Changes

The final week of June was a busy one for SEC releases following the SEC’s June 28th open meeting. Among these was a revisit of Rule 22e-4 under the Investment... read more »

More SEC Settlements - This Time Form PF Filing Deficiencies

On June 1st, the SEC announced settlements with 13 RIAs who repeatedly failed to file Form PF reports. Most of these firms never filed over the review period (2012 through... read more »

Two Recent Enforcement Actions Against Private Fund Advisers

The industry should not misinterpret the SEC’s 2018 National Exam Program Priorities as a shift away from private fund advisers. As discussed during the SEC’s recent National Compliance Outreach Seminar... read more »

Events

Chief Compliance Officer Roundtable: Breakfast Briefing - November 8, 2018

When: November 8, 2018 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone: 212.885.5000 Schedule: 9:00-9:30am - Networking...

Dorsey PF 2018 Symposium

When: September 26, 2018 (8:30 am - 6 pm Where: Dorsey & Whitney LLP | 51 W. 52nd Street | New York, NY 10019 Directions > SEC3’s President, Janaya Moscony will join...

Chief Compliance Officer Roundtable: Breakfast Briefing - June 14, 2018

When: June 14, 2018 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone: 212.885.5000 Schedule: 9:00-9:30am - Networking...

Webinar: 2018 SEC Exam Priorities & Recent Exam Highlights

Don’t miss the opportunity to meet with us in person to discuss the topics that matter most to you. Tobin S. Cochran, Managing Member/President of Focus 1 Associates, LLC and...

Chief Compliance Officer Roundtable: Breakfast Briefing - February 7, 2018

When: February 7, 2018 Where: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone: 212.885.5000 Schedule: 9:00-9:30am - Networking...

Upcoming Events - September & October 2017

Upcoming Events Don’t miss the opportunity to meet with us in person to discuss the topics that matter most to you. SEC3 is teaming up with industry experts in NYC to discuss...

May 23, 2017 - Webcast: WannaCry Ransomware: Were You Really Protected or Just L…

When: Tuesday, May 23rd, 2017 | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder, BW Cyber Services John Lukan, Managing Director, SEC Compliance Consultants, Inc. We...

June 14, 2017 - Compliance Breakfast Briefing

8:30-9:00am - Networking and Continental Breakfast 9:00-10:30am - Program Location: Willkie Farr & Gallagher LLP | 600 Travis Street | Suite 2310 | Houston, TX Barry Barbash from Willkie Farr & Gallagher LLP,...

June 13, 2017 - Compliance Breakfast Briefing

8:30-9:00am - Networking and Continental Breakfast 9:00-10:30am - Program Location: Haynes and Boone, LLP | 2323 Victory Avenue | Suite 700 | Dallas, TX 75219 Validated parking is available in the garage attached...

May 31, 2017 - Chicago

9:00-9:30 a.m - Networking and Continental Breakfast 9:30-11:00 a.m - Program Location: Baker & McKenzie LLP | 300 East Randolph Drive | Suite 5000 | Chicago, IL 60601 Kristin Gonzalez and Jerome Tomas...

May 17, 2017 (NYC WIMF)

This event is by invitation only. Please email info@seccc.com to learn more.

May 15, 2017 (NYC Chief Compliance Officer Roundtable)

9:00-9:30am - Networking and Continental Breakfast 9:30-11:00am - Program Location: Blank Rome LLP | The Chrysler Building | 405 Lexington Avenue | New York, NY 10174 | 22nd Floor Boardroom | Phone:...

Webcast: The Most Insidious Cybersecurity Threat Is Also The Least Understood

When: Tuesday, April 25th | Schedule: 12pm - 1pm EST Who: Paul Caiazzo, CEO and Co-Founder, TruShield Security Solutions Michael Brice, Founder, BW Cyber Services John Lukan, Managing Director, SEC Compliance Consultants, Inc. Ransomware, the...

CCO Liability (Part III): Managing Liability Webinar

In this webinar, panelists discuss indemnifications and insurance as potential remedies to address the direct financial risks to a CCO. Attendees will learn: What terms and conditions should Chief Compliance Officers be...

Webinar: CCO Liability (Part III): Managing Liability: Navigating Indemnities an…

When: Tuesday, February 21, 2017 Schedule: 11:00am ET / 10:00am CT / 9:00am MT / 8:00am PT / 7:00am AT Description of Webinar: The National Society of Compliance Professionals is pleased to host...