SEC OCIE Cybersecurity Sweep 2015

On February 3rd, the SEC’s Office of Compliance, Inspections and Examinations (“OCIE”) released the results of the cybersecurity examination sweep that was conducted throughout 2014.  The sweep examined 106 investment adviser firms, which consisted of 57 broker-dealers (BD) and 49 registered investment advisers (RIA). 
 
The sweep results (Risk Alert) can be found here.
 
For each firm that was selected, the OCIE interviewed key personnel and assessed their cybersecurity preparedness.  The review can be broken down into the following categories:

  • Assessments: Has the firm recently conducted a risk assessment?
  • Policies and Procedures: Does the firm have a written information security policy in place?
  • Incident Response Plans: Does the firm factor cyber-incident related outages into their Business Continuity Plan?
  • Third Parties: Does the firm assess the cybersecurity preparedness of their third parties?
  • Phishing: Has the firm previously been targeted by phishing scams and what measures does the firm take to mitigate these attacks?
  • Internal Risks: What measures are taken by the firm to mitigate internal attacks?
  • Inventories: Does the firm maintain up-to-date hardware and software inventories and are the network resources and data flows documented?
  • Encryption: Does the firm make use of encryption?

Gravitas has reviewed the summary report and has made the following key observations:

  • Assessments:
    • 93% of BD and 79% of RIA conducted periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential impact to the business.
  • Policies and Procedures:
    • 93% of BD and 83% of RIA have adopted written information security policies.
    • 89% of BD and 57% of RIA conduct periodic audits to ensure compliance with their established security policies and procedures.
  • Incident Response Plans:
    • 82% of BD and 51% of RIA employ a business continuity plan to mitigate the effects of a cybersecurity incident and/or have outlined a plan to recover from such an incident.
  • Third Parties:
    • 88% of BD and 74% of RIA reported that they have been the victim of a cybersecurity related incident directly or indirectly through a vendor.
    • Only 32% of RIA require risk assessments of vendors with access to their networks.
  • Phishing:
    • 54% of BD and 43% of RIA experienced phishing emails seeking to transfer client funds.
    • Of the BD that experienced losses due to fraudulent emails (26% of the 54% noted above), 25% stated that those loses were a result of employees not following identity authentication procedures.
  • Internal Risks:
    • Only 11% of BD and 4% of RIA “reported incidents in which an employee or other authorized user engaged in misconduct resulting in the misappropriation of funds, securities, sensitive client, or firm information, or in damage to the firms’ networks.”
  • Inventories:
    • “The vast majority of examined firms report conducting firm-wide inventorying, cataloging, or mapping of their technology resources.”
  • Encryption:
    • “Almost all the examined broker-dealers (98%) and advisers (91%) make use of encryption in some form.”

While the overall results are encouraging, and it seems that our industry is moving in the right direction as it pertains to cybersecurity preparedness, it should be noted that the OCIE staff conducted very limited testing to verify the responses of the interviewees and to what extent policies and procedures were actually implemented.  Assessments of this type often miss gaps in security controls and/or ineffective security policies. We anticipate that this approach will change in the future as the OCIE cybersecurity initiative program matures and we expect that they will begin testing and thoroughly verifying security controls during future examinations. As such, we are advising our clients to take a proactive and vigilant approach in reviewing, implementing, testing and assessing the necessary policies and procedures to address cybersecurity preparedness. At a minimum, firms should begin reviewing policies and procedures for effectiveness and also ensure that Data Protection and Business Continuity Plans as well as Privacy Policies are in place to properly protect client data and assets.
 
Throughout 2015, Gravitas will be making several improvements to our cybersecurity programming that will benefit all of our clients. Some of these improvements include:

  • Reviewing and testing our Cybersecurity Incident Management and Response plan to ensure that it is effective and includes procedures for containment, eradication, recovery, investigation and notification.
  • Streamlining our cybersecurity governance framework in order to better identify and manage cybersecurity risks by remapping our corporate IT policy to align with the ISO27001/2 and COBIT 5 governance frameworks.
  • Expanding our defense-in-depth strategies by implementing additional security controls to protect our Cloud ecosystem against known cybersecurity threats through a renewed focus on Intrusion Detection and Prevention as well as Data Loss Prevention.

Finally, we would like to assure you that Gravitas is taking the OCIE Cybersecurity Initiative seriously and that we are committed to improving the security of our Cloud ecosystem and your assets. We strive to provide best-in-class service to our clients and understand that data and network integrity are increasingly important in today’s ever-growing, cybersecurity threat landscape.  By continuing to invest in and improve our cybersecurity threat management, we will continue to offer secure, robust services to our clients.