Advisors Raise Their Cybersecurity Game with Issues
By Harry J. Lew
As cyber-breaches roiled the financial services industry in recent years, agents and advisors have struggled to secure their businesses—and their clients’ information—against external threats.
But now there’s good news: the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) has found that broker-dealers, investment advisors, and investment companies are more prepared than ever. That’s according to its recent Cybersecurity 2 Initiative, which subjected the data security plans of 75 firms to more robust, hands-on testing.
Focusing on the firms’ written policies and procedures to make sure they were implemented and followed, the OCIE assessed the firm’s efforts in the following six areas: governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.
Although OCIE noted improvement over its last examination, it also observed areas that could stand improvement. These included instances in which:
- firms adopt policies and procedures that are so general or vague they are of limited use to employees.
- companies fail to enforce their policies and procedures or fail to make sure their rules are fully tailored to their needs.
- broker-dealers and investment advisors/companies rely on outdated operating systems or software applications that manufacturers no longer support with security patches, leaving them prone to attack by criminals who exploit security holes in archaic software.
But the good news is the firms that had implemented robust controls addressed cybersecurity from multiple angles, including:
- Maintaining an inventory of data, information, and vendors.
- Providing detailed instructions on procedures such as penetration tests, access rights, and reporting.
- Regularly testing data integrity and vulnerability relating to core IT infrastructure and software patch management.
- Establishing and enforcing controls for access to firm data or systems relating to acceptable use, mobile device management, vendor activity logs, and terminating access for departed employees.
Although OCIE was quick to highlight progress, it also said “cybersecurity remains one of the top compliance risks for financial firms.” To keep the industry on its toes, it said it will continue to conduct examinations of firms’ procedures and controls, including testing how well those measures have been implemented.