The SEC’s cyber security roadmap

Corey Harris
Aug 28, 2017 · 4 min read

Introduction

Earlier in August, the Securities and Exchange Commission (“SEC”) in the U.S. issued a report on its examination of broker-dealers, investment advisers and investment funds to address cyber security preparedness.

This is the 5th risk alert of its kind from the SEC which began focusing on this issue in April 2014 in the wake of increased awareness and focus on data security in the investment adviser and investment fund arena.

Summary

This article will provide a roadmap for you or your IT staff to protect your firm’s vital data and that of your investors or customers. This article will be broken down into 4 sections: (i) An overview of the frequency of data breaches globally (ii) SEC examination observations (iii) key cyber security risks (iv) core elements of a robust cyber security policy and program (v) conclusion.

The frequency of data breaches globally show the need for robust cyber security

ASEAN recorded 21,045 data breaches during the 2016

The Ponemon Institute’s Research Report on data breaches from 2017 found that firms in India, the Middle East and the U.S. had the largest number of breaches.

As you can see in figure 3 below, while not in the top 3, ASEAN recorded 21,045 data breaches during the 2016 calendar year period of the report.

SEC Examination Observations

The SEC looked at governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response. Of the 75 firms examined, the SEC observed the following about broker-dealers, advisers and funds:

· Almost all conducted periodic risk assessments of critical systems to identify cyber threats, vulnerabilities and the business consequences of a cyber incident.

· Almost all conducted penetration tests and vulnerability scans on critical computer systems; however, not all firms fixed the high risk vulnerabilities in a timely manner.

· All used a system, utility or tool to prevent, detection and monitor the loss of personally identifiable data.

· A majority had a process in place to ensure regular system maintenance including software patches to address security vulnerabilities; however, not all critical updates were installed in a timely manner — if at all.

· Nearly all had a cyber security policy, procedure and response plan in place.

· Nearly all firms had a cyber security organizational chart and designated roles and responsibilities.

· Nearly all firms had policies and procedures to verify the identity of customers requesting to transfer funds.

· Most firms conducted, initial and subsequent, vendor risk assessments.

Key cyber security compliance risks

The following areas were noted as needing additional attention or improvement:

Examples of specific compliance risks

1.Requiring annual customer protection reviews, but not conducting reviews annually.

2. Requiring ongoing security protocol reviews; however, not conducting reviews annually — if at all.

3. Providing contradictory or confusing instructions to employees regarding security procedures.

4. Requiring all employees to complete the firm instituted cyber security program without a mechanism to ensure all employees actually complete the program.

Core elements of a robust cyber security policy and program

The SEC noted core elements from the best programs examined which are:

The elements of a robust cyber security program

· Cyber security policies that maintained an inventory of critical data, information and vendors and classification of risks to each area.

· Detailed cyber security instructions regarding system penetration tests, security monitoring and auditing, tracking and monitoring of access rights, specific policies and procedures if sensitive information was lost or stolen.

· Defined schedules and processes for testing vulnerabilities.

· Established and enforced controls to access data and systems.

· Mandatory employee training.

· Engaged senior management.

Conclusion

Cyber security in the digital era are and will remain a top priority for the SEC as well as other regulators around the world and will only become more important as financial services disruption brings new and innovative services to myriad areas of the financial services ecosystem.

Broker-dealers, investment advisers and fund should use the issues outlined by the SEC as a resource to audit their cyber security policies. For firms that do not have any cyber security policies or procedures in place — you are playing with fire in an era where cyber security is constantly evolving in its importance and potential financial impact on your business.

)

Corey Harris

Written by

Busy business advisor, lawyer, curios person, on the ground in the ASEAN region. #berkeleylaw #bostoncollege #hamptonuniversity

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade