OCIE Issues Risk Alert Following Recent Cybersecurity Examinations of Financial Firms: Office of Compliance Inspections and Examinations Summarizes Observations on Industry Practices and Identifies Continuing Areas of Weakness

Sullivan & Cromwell LLP - August 11, 2017

On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert (Risk Alert) summarizing the findings of recent examinations conducted as part of its 2015 Cybersecurity 2 Initiative.  Between September 2015 and June 2016, OCIE examined 75 financial firms registered with the SEC (including broker-dealers, investment advisers and investment companies) to assess industry practices and issues associated with the firms’ cybersecurity preparedness.  These examinations built upon prior cybersecurity examinations, particularly OCIE’s 2014 Cybersecurity 1 Initiative.  In general, OCIE staff observed increased cybersecurity preparedness but also identified areas where compliance and oversight could be improved.  The Risk Alert summarizes the staff’s observations from the examinations and highlights certain issues observed as well as certain policies and procedures that the staff believes may be effective.  Cybersecurity remains a top compliance risk for financial firms, and OCIE has indicated that it will continue to examine cybersecurity procedures and controls.

While OCIE noted overall improvement in cybersecurity preparedness since the 2014 Cybersecurity 1 Initiative, it also identified several continuing areas of weakness.  Specifically, the Risk Alert notes that firms may need to exert greater effort to ensure that their policies are being enforced.  Given the attention that OCIE has devoted to cybersecurity compliance among financial firms in light of the growing cyber-related threats, financial firms should consider whether the vulnerabilities identified in the Risk Alert—or other cybersecurity issues—may need to be addressed in order to update or strengthen their cybersecurity risk management systems.