Recurring Cybersecurity Issues
The Risk Alert discusses several areas of widespread deficiency that the OCIE staff believes can serve as guideposts for firms to improve their policies, procedures and practices. While nearly all of the 75 firms evaluated in the Cybersecurity 2 sweep had written policies and procedures addressing cyber-related business continuity planning and Regulation S-P, and most advisers and funds had specific cybersecurity and Regulation S-ID policies and procedures, a majority of firms had weaknesses, including that:
- their policies “were not reasonably tailored,” providing only vague, general guidance, and did not correspond to specific procedures for employees to follow in implementing the policies;
- they failed to adhere to, or in practice did not actually follow, key established policies and procedures, including:
- mandatory annual customer protection reviews;
- annual and ongoing reviews of security protocol appropriateness;
- required employee cybersecurity training and disciplinary provisions for employees who disregarded such training; and
- their policies generally did not provide clear and non-contradictory instructions, and instead were often inconsistent, such as with respect to remote customer access and investor fund transfer restrictions.
Additionally, the Risk Alert discusses concerns regarding firms:
- using legacy operating systems that do not support new security patches;
- failing to timely install software patches and other operational safeguards for protecting customer information;
- conducting penetration tests but failing to fully remediate high-risk findings from those tests in a timely manner; and
- failing to appropriately adhere to Regulation S-P.
Elements of Effective Policies and Procedures
The Risk Alert identifies the elements of policies and procedures that the OCIE staff believes should be part of a “robust” set of cybersecurity controls. The guidance offered in the Risk Alert is quite specific, detailing the major elements of cybersecurity policies and procedures firms should consider to improve their programs. The critical policy elements that the OCIE staff favorably identified during the Cybersecurity 2 sweep exam include the following.
Maintenance of an inventory of data, information, and vendors/service providers. Well-developed policies and procedures include complete inventories of data residing on a firm’s networks and classifications of the risks, vulnerabilities, data, business consequences and information regarding each third-party vendor/service provider used by the firm.
Penetration Tests. Policies and procedures should contain specific information necessary to review the effectiveness of the testing and security solutions.
Security Monitoring and System Auditing. Policies and procedures concerning a firm’s information security framework should include details related to appropriate testing methodologies.
Access Rights. Procedures should track requests for network access and include policies specifically address the modification of user access rights, including for employee hiring and termination and the changing of employee positions/responsibilities.
Reporting. Procedures should contain specific action plans, including the names of individuals to contact if sensitive information is lost, stolen, unintentionally disclosed or otherwise compromised.
Part 2 of this blog discusses additional cybersecurity program elements identified in the Risk Alert and suggests key takeaways from the guidance.