The SEC’s cyber security roadmap

Introduction
Earlier in August, the Securities and Exchange Commission (“SEC”) in the U.S. issued a report on its examination of broker-dealers, investment advisers and investment funds to address cyber security preparedness.
This is the 5th risk alert of its kind from the SEC which began focusing on this issue in April 2014 in the wake of increased awareness and focus on data security in the investment adviser and investment fund arena.
Summary
This article will provide a roadmap for you or your IT staff to protect your firm’s vital data and that of your investors or customers. This article will be broken down into 4 sections: (i) An overview of the frequency of data breaches globally (ii) SEC examination observations (iii) key cyber security risks (iv) core elements of a robust cyber security policy and program (v) conclusion.
The frequency of data breaches globally show the need for robust cyber security
ASEAN recorded 21,045 data breaches during the 2016
The Ponemon Institute’s Research Report on data breaches from 2017 found that firms in India, the Middle East and the U.S. had the largest number of breaches.
As you can see in figure 3 below, while not in the top 3, ASEAN recorded 21,045 data breaches during the 2016 calendar year period of the report.


SEC Examination Observations
The SEC looked at governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response. Of the 75 firms examined, the SEC observed the following about broker-dealers, advisers and funds:
· Almost all conducted periodic risk assessments of critical systems to identify cyber threats, vulnerabilities and the business consequences of a cyber incident.
· Almost all conducted penetration tests and vulnerability scans on critical computer systems; however, not all firms fixed the high risk vulnerabilities in a timely manner.
· All used a system, utility or tool to prevent, detection and monitor the loss of personally identifiable data.
· A majority had a process in place to ensure regular system maintenance including software patches to address security vulnerabilities; however, not all critical updates were installed in a timely manner — if at all.
· Nearly all had a cyber security policy, procedure and response plan in place.
· Nearly all firms had a cyber security organizational chart and designated roles and responsibilities.
· Nearly all firms had policies and procedures to verify the identity of customers requesting to transfer funds.
· Most firms conducted, initial and subsequent, vendor risk assessments.
Key cyber security compliance risks
The following areas were noted as needing additional attention or improvement:

Examples of specific compliance risks
1.Requiring annual customer protection reviews, but not conducting reviews annually.
2. Requiring ongoing security protocol reviews; however, not conducting reviews annually — if at all.
3. Providing contradictory or confusing instructions to employees regarding security procedures.
4. Requiring all employees to complete the firm instituted cyber security program without a mechanism to ensure all employees actually complete the program.
Core elements of a robust cyber security policy and program
The SEC noted core elements from the best programs examined which are:

· Cyber security policies that maintained an inventory of critical data, information and vendors and classification of risks to each area.
· Detailed cyber security instructions regarding system penetration tests, security monitoring and auditing, tracking and monitoring of access rights, specific policies and procedures if sensitive information was lost or stolen.
· Defined schedules and processes for testing vulnerabilities.
· Established and enforced controls to access data and systems.
· Mandatory employee training.
· Engaged senior management.
Conclusion
Cyber security in the digital era are and will remain a top priority for the SEC as well as other regulators around the world and will only become more important as financial services disruption brings new and innovative services to myriad areas of the financial services ecosystem.
Broker-dealers, investment advisers and fund should use the issues outlined by the SEC as a resource to audit their cyber security policies. For firms that do not have any cyber security policies or procedures in place — you are playing with fire in an era where cyber security is constantly evolving in its importance and potential financial impact on your business.
