The Security and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently released an initial summary of its findings from its 2014 OCIE Cybersecurity Initiative. The OCIE examined 57 registered broker-dealers and 49 registered investment advisers to better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues associated with cybersecurity.
The OCIE Summary made the following observations:
- the majority of examined broker-dealer and advisers have adopted written information security policies;
- the majority of examined firms conduct periodic risk assessments to identify cybersecurity threats and vulnerabilities;
- most of the examined firms reported that they have experienced cyber-attacks directly or through one or more of their vendors; and
- almost all of the examined firms make use of encryption in some form.
The OCIE also identified key differences in practices between broker-dealers and advisers, including that broker-dealers were more likely to: (1) incorporate cybersecurity risk policies into contracts with vendors; (2) explicitly designate a Chief Information Security Officer; and (3) maintain insurance for cybersecurity incidents.
FINRA also recently released a Report on Cybersecurity Practices, which presents firms with an approach to cybersecurity grounded in risk management. FINRA’s Report recommends:
- a sound governance framework with leadership engagement on cybersecurity issues;
- risk assessments;
- technical controls and strategy that fit the firm’s individual situation;
- testing response plans, which should include containment, mitigation, recovery, investigation, notification and making consumers whole;
- exercising due diligence when contracting with and using a vendor;
- training staff to prevent unintentional downloading of malware; and
- engaging in collaborative self-defense with other firms by sharing intelligence.