Top Lessons from the 2017 SEC Cybersecurity ReportAnchin AlertOctober 2, 2017
Cybersecurity continues to be a top priority for the SEC. They recently reviewed 75 firms, including broker-dealers, investment advisers, and investment companies, to see what the financial industry is doing well related to cybersecurity, as well as what needs to be improved. Firms should use this information to evaluate and improve their own protection of client data and be aware of these issues which the SEC will be on the lookout for during future inspections.
The SEC investigators found a number of improvements compared to their last major report in 2014. The most significant improvement was that nearly all participants in the investigation had written cybersecurity policies and procedures for protecting client information and records. This was a glaring problem in the 2014 report, when the majority of firms did not have these in place.
Other areas of improvement included:
Proactive cybersecurity measures
Most firms were using risk assessments to identify threats and their potential consequences. They were also using penetration tests and vulnerability scans to discover existing problems that needed to be fixed.
Improved system maintenance
Firms were doing a better job keeping up with system maintenance, including regularly installing security patches. However, there were still cases where firms fell behind and missed important software updates.
Established response plans for issues
Most firms had plans for how they would respond to cybersecurity problems like access incidents, denial of service incidents, and unauthorized intrusions. However, many firms did not have a response plan for data breaches.
Clear cybersecurity responsibilities
Firms did a solid job identifying the cybersecurity roles and responsibilities in their workforces. Most had a cybersecurity organizational chart.
Better vendor risk assessments
Firms were consistently performing risk assessments of third-party vendors. Another improvement—half of the firms were performing regular assessments throughout their engagements; not just at the start when they signed up with a new vendor.
The SEC investigators found some common problems throughout their review.
Written policies were not specific enough
The SEC found that cybersecurity written policies and procedures were often vague and did not provide clear steps for how to handle various situations. Policies were also too narrow and only focused on a few issues. They needed to cover a wider range of situations.
Not all procedures were followed
Another problem was that firms would not follow their own procedures. For example, annual reviews of security measures occurred less frequently than once a year and there was no tracking to make sure that all employees participated in cybersecurity awareness training.
Slow fix of cybersecurity problems
While firms were doing a better job identifying problems, they were still too slow to fix vulnerabilities once they were discovered. There were also cases of firms using outdated operating systems that couldn’t use the latest security patches.
Learning from Effective Firms
To wrap up their report, the SEC shared what firms could learn from organizations with the best cybersecurity practices.
A couple of ways to make cybersecurity instructions more specific include:
- List access rights for different employees and steps to be taken if they change positions or are separated from service.
- Explain the exact steps employees should take and the people they should contact after problems, like stolen data, are discovered or suspended.
Immediate response to vulnerabilities
During vulnerability scans, IT departments should list problems in order of severity along with a plan for addressing each one.
Strong controls for company data
Firms should have clear acceptable-use policies telling employees how to properly act on the company network. Mobile devices that connect to the firm’s network should be protected by passwords and encryption. If employees are separated from service, their access to company data should be terminated immediately.
A firm-wide commitment to cybersecurity
Understandably, firms that were more committed to cybersecurity performed better in the investigations. These firms had mandatory cybersecurity training for employees. Their senior management reviewed and approved cybersecurity policies.
The financial industry has made significant progress in cybersecurity but there is still room for improvement. Firms should follow through on the SEC’s recommendations to better protect client information and to prepare for their next SEC inspection.
For more information, contact your Anchin relationship partner or Jeffrey I. Rosenthal, Partner-in-Charge of Anchin’s Financial Services Practice at 212.840.3456.