Based on observations and findings from its cybersecurity examinations, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert on August 7. These observations were a result of 75 examinations of investment advisers, funds, and broker-dealers focused on validating and testing that written policies and procedures were in fact implemented and followed.
The primary focus were the following 6 areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response. According to the risk alert, the OCIE noted that the firms subject to the examinations showed a general improvement when it came to implementation of some cybersecurity best practices. They also noted firms seemed more aware of risks associated with cybersecurity issues.
The risk alert, however, cited several potential suggestions firms may wish to consider. For example, the OCIE suggested improving general cybersecurity guidance and creating more examples of safeguards. The office also noted some firms did not have policies that reflected practices or did not adhere to cybersecurity policies. Some firms, according to the OCIE did not have strong remediation efforts and had older risk assessments. Further, the OCIE suggested firms may want to consider stronger controls.
Despite the improvements observed, the OCIE noted that cybersecurity remains a key risk for financial firm compliance efforts. If you would like to improve your own compliance efforts contact Vigilant Compliance today. Vigilant Compliance is a global compliance firm, assisting a range of domestic and international investment management clients. If you are concerned about how a SEC examination would impact you, contact us for comprehensive and robust solutions tailored for your needs.