On April 15, 2014, the SEC's Office of Compliance Inspections and Examinations announced that it would be conducting examinations of more than 50 registered broker-dealers and registered investment advisers focused on cybersecurity governance and risk. Until yesterday, there has been little or no information from the SEC concerning the results of those examinations. In a Risk Alert published yesterday, however, OCIE provided summary observations from the examinations conducted under the April 2014 Cybersecurity Examination Initiative.
Some of OCIE's key observations from its examinations of 57 registered broker-dealers and 49 registered investment advisers include:
93% of broker-dealers and 79% of investment advisers conduct periodic risk assessments to identify cybersecurity threats and vulnerabilities, and use these assessments to establish their cybersecurity policies and procedures.
84% of broker-dealers and 32% of investment advisers require cybersecurity risk assessments of vendors with access to their firms’ networks.
88% of broker-dealers and 74% of investment advisers have experienced cyber-attacks directly or through one or more of their vendors.
11% of broker-dealers and 4% of investment advisers reported incidents in which a firm employee engaged in cybersecurity-related misconduct.
68% of broker-dealers and 30% of investment advisers have specifically designated a "Chief Information Security Officer" for the firm.
58% of broker-dealers and 21% of investment advisers maintain insurance for cybersecurity incidents.
What do these observations mean? One quick takeaway seems to be that at this point in time, broker-dealers are ahead of investment advisers in terms of developing cybersecurity governance and risk management practices--perhaps because they have also experienced more cyberattacks. At the Compliance Building blog, Doug Cornelius, Chief Compliance Officer at Beacon Capital Partners, LLC, a real estate private equity firm, writes that he views each bullet point in the OCIE Risk Alert summary as "a new standard that a firm will need to meet. The alert does not say so, but I’m going to use it as a blueprint for an additional review of cybersecurity."