From: Lexology
Gary DeWaal | Katten Muchin Rosenman LLP
The Office of Compliance Inspections and Examinations of the Securities and Exchange Commission issued a report saying that firms have “increased cybersecurity preparedness” since 2014, after reviewing 75 registrants, including broker-dealers, investment advisers and investment companies. However, OCIE also concluded that firms’ cybersecurity policies and procedures are not uniformly tailored to their business because they are too vague or general and are not always followed or enforced. In some cases, such policies and procedures do not reflect actual practices. In addition, OCIE concluded that firms do not appear “adequately” to conduct system maintenance, such as timely installing software patches to address system vulnerabilities to protect customer information. Also, in some cases, firms use outdated operational systems that are no longer supported by security patches or fail to timely fix high-risk issues identified from penetration tests or vulnerability scans. Although OCIE found that most firms had plans for addressing unauthorized access issues, less than two-thirds of all investment advisers and funds had plans for notifying customers in connection with information breaches. As part of its report, OCIE identified certain elements firms should consider including in “robust” cybersecurity policies and procedures including maintenance of a complete inventory of data, information and vendors, including a vulnerability risk assessment; “detailed” cybersecurity instructions (e.g., addressing penetration tests, security monitoring, access rights and breach response; data and system access controls; mandatory employee training; and “engaged” senior management).
Compliance Weeds: The SEC has brought two enforcement actions against registrants for failing to comply with Regulation S-P over the past two years.
Leave a Reply