SEC notes improvement in cybersecurity policies

The regulator’s latest initiative found most firms have written policies in place, but they need to improve their maintenance.

Cybersecurity policies and procedures at private fund firms have generally improved, but ongoing efforts are needed to ensure they remain robust, according to the Securities and Exchange Commission.

Most of the 75 firms recently examined by the regulator as part of its Cybersecurity 2 Initiative had written policies and procedures in place addressing the protection of customer and shareholder data, an improvement from its previous initiative which found “comparatively fewer” broker-dealers and advisors had them in place.

Nearly all examined firms conducted periodic risk assessments of critical systems, penetration tests and vulnerability scans, and had a process in place to ensure regular system maintenance, the SEC said.

Most firms also had plans for addressing access and data breach incidents and notifying customers of an incident. They also either conducted vendor risk assessments or required vendors to provide the firm with risk management and performance reports. More than half of the firms also required an annual update on these risk assessments.

A number of issues highlighted by the sweep were maintenance-related. Some policies were not tailored to the specifics of the firm and others were not reviewed annually where required. Several were using outdated operating systems that were no longer supported by security patches.

Staff also noted some contradictory or confusing instructions for employees, and that some firms did not take action to ensure staff undertook required training.

“Cybersecurity remains one of the top compliance risks for financial firms. As noted in Office of Compliance Inspections and Examiniation’s 2017 priorities, OCIE will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms,” the SEC said.