Advisors have made strides against cyber threats — but it may not be enough.
Following its latest wave of exams, the SEC's Office of Compliance Inspections and Examinations found the results are a decidedly mixed bag when it comes to how firms are working to protect sensitive systems and client information from hackers.
So far, the SEC has handled cybersecurity issues largely through the deficiency letters it issues advisors following an exam and issuing risk alerts. In May, in response to the WannaCry ransomware attack, the SEC issued a risk alert urging firms to check their systems to make sure that the necessary patches had been installed. Advisors should expect the regulator's attention to this matter to grow.
Read more:
"We do feel it's only a matter of a time before we begin to see a new round of enforcement actions related to cyber security," says GJ King, president of the advisor consulting firm RIA in a Box, "Arguably, cyber security poses the single greatest risk to all clients of all RIA firms."
First, the good news: After reviewing the cyber operations at 75 RIAs, BDs and investment companies, OCIE reported "an overall improvement in firms' awareness" of cyber risks and the near-universal implementation of programs to mitigate the risks. Almost all of the firms examined run routine risk assessments intended to flag potential threats.
However, there were two areas with much room for improvement. Here are the key takeaways for firms to consider.
TOO STATIC AND UNSPECIFIC?
While a large majority of firms examined had written cyber policies in place, OCIE found that many of those documents were generalized and vague. It's important that policy is "reasonably tailored" to a firm's unique risks and operations.
Additionally, it's important for firms to adhere and enforce their policies and procedures. Comprehensive documentation is also important.
Firms with lax policies appeared to treat their cybersecurity policies as static documents, according to OCIE.
The SEC does not have a specific rule on the books dictating what firms' cybersecurity policies must look like, but many of those issues are covered by the rule on client privacy protections known as Regulation S-P.
In its latest sweep, OCIE found that many firms had deficiencies in that area as well, such as the use of antiquated computer operating systems that were no longer supported with patches and the failure to act on issues identified through vulnerability probes or penetration testing.
Because cyber threats are constantly evolving, examiners expect programs to be current and continuously updated. The regulator reported that, in many instances, even firms who had established provisions for reviewing their policies failed to do so frequently enough.
TRAINING FOR ALL: PROTECTING EMPLOYEES
Employees should have proper guidance on cybersecurity, as often they are the first line of defense against a potential strike.
OCIE examiners found cases of firms with policies requiring cybersecurity awareness training for all employees where there was no follow-through. There were also instances where cybersecurity policies were contradictory to business operations and best practices, potentially putting employees in a bind.
It's imperative that firms protect their employees — and that often starts with comprehensive training. Every firm should provide regular training throughout the year as cyber threats evolve.
FORWARD THINKING
While OCIE seems to understand that cyber attacks may be unavoidable, examiners are expecting firms to think through how they would respond to a breach so they are not caught flat-footed if an incident does occur, according to Bryan Gort, an associate attorney at the legal and compliance firm Parker MacIntyre.
"OCIE realizes it is impossible for investment advisors and broker-dealers to foresee every cyber-attack and stop them before they happen," Gort wrote in a