SEC Cybersecurity 2 Initiative: Lessons and Guidance

In August 2017, the Office of Compliance Inspections and Examinations of the U.S. Securities and Exchange Commission (“SEC”) announced the results of its most recent cybersecurity examination initiative, the Cybersecurity 2 Initiative (the “Initiative”).[1] The Initiative built on the SEC’s previous cybersecurity examinations[2] but involved more validating and testing of cybersecurity procedures and protocols. The Initiative involved 75 firms, including broker-dealers, investment advisers, and investment companies. It focused on the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response. The SEC found that cybersecurity practices had generally improved since its initial round of examinations in 2014 but also noted areas for improvement. The SEC also provided guidance regarding the elements of a robust cybersecurity program for financial firms.

Improved Cybersecurity Practices

The SEC noted overall improvement in firms’ cybersecurity practices and procedures since prior examinations in 2014 and 2015. In particular, nearly all firms maintained written cybersecurity policies and procedures addressing the protection of customer/shareholder records and information. In addition, the SEC positively noted that many or all firms: (i) conducted periodic risk assessments of critical systems; (ii) conducted penetration tests and vulnerability scans on critical systems; (iii) used tools to prevent, detect, and monitor data loss of personally identifiable information; and (iv) had processes for regular system maintenance, including the installation of software patches to address security vulnerabilities.

As noted by the SEC in announcing the Initiative’s results, robust cybersecurity practices are important to firms seeking to comply with their obligations under the federal securities laws.  For example, Regulation S-P requires broker-dealers, investment companies, and investment advisers registered with the SEC to adopt written policies and procedures addressing administrative, technical, and physical safeguards to protect customer records and information.[3]  Similarly, Regulation S-ID requires certain firms to implement written programs to detect and prevent identity theft.[4] In recent years, the SEC has undertaken enforcement actions against firms that fail to comply with their responsibilities to properly safeguard customer information.[5]

Areas for Improvement
 
Despite overall improvement, the SEC identified several areas for improvement in firms’ cybersecurity practices. The SEC’s recommendations included: (i) providing employees with more specific guidance for implementing cybersecurity policies, (ii) ensuring actual practices match written policies and procedures, for example actually performing (and not just providing for in written policies) annual customer protection reviews, and (iii) conducting adequate system maintenance to ensure Regulation S-P compliance, including avoiding stale risk assessments and remediating high-risk findings from penetration tests and vulnerability scans in a timely manner.
 
Guidance on Robust Policies and Procedures
 
Finally, the SEC provided guidance regarding certain elements common to the cybersecurity programs of those firms deemed to have implemented robust controls. Those elements included, among other things:
 

• Maintenance of an inventory of data, information, and vendors, including classifications of risk and vulnerabilities;
• Detailed cybersecurity instructions for items such as penetration tests, security monitoring and system auditing, access rights, and reporting of cybersecurity incidents;
• Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities, including vulnerability scans of core IT infrastructure and patch management policies;
• Established and enforced controls to access data and systems, including detailed “acceptable use” policies, enforced restrictions and controls for mobile devices, logged third-party vendor network activity, and terminated access for terminated employees;
• Mandatory employee training, including policies and procedures to ensure completion of training; and
•  Engagement of senior management in vetting and approving cybersecurity policies and procedures.

While the SEC’s guidance is not intended to provide an exhaustive list of required cybersecurity practices, it does provide a helpful roadmap for broker-dealers, investment advisors, and other firms seeking to comply with their customer information protection obligations under the federal securities laws. 

Eric McKeown is a member of Ice Miller's Data Security and Privacy Practice and has extensive experience with SEC investigations. Ice Miller’s Data Security & Privacy Practice helps clients assess risks and implement strong data security and privacy programs.

If you have any questions or would like additional information regarding SEC guidance and regulations regarding data security, please contact Nick Merker at (317) 236-2337 or Nick.Merker@icemiller.com, Matt Fornshell at (216) 394-5072 or Matthew.Fornshell@icemiller.com, or Eric McKeown at (317) 236-2124 or Eric.Mckeown@icemiller.com. 

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.