A recent Risk Alert from the SEC’s Office of Compliance Inspections and Examinations has provided a summary of the observations from a set of 75 cybersecurity preparedness examinations, conducted with broker-dealers, investment advisers, and investment companies. Part of the OCIE’s Cybersecurity 2 Initiative, these examinations look at six key areas:
- Governance and Risk Assessment
- Access Rights and Controls
- Data Loss Prevention
- Vendor Management
- Training
- Incidence Response
From these examinations, the OCIE offered some insights into areas of general strength (conduction of periodic risk assessments, establishment of business continuity and response plans, etc.), and weakness (failure to respond to identified risks, overly generic policies).
Of particular importance was the observation that, while most firms now have robust policies, procedures, and oversight mechanisms for cybersecurity issues, implementation and following of these same policies and procedures is often lagging and incomplete.
Source:
http://www.jdsupra.com/legalnews/ocie-publishes-risk-alert-summarizing-78373/