Last week, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert outlining the results of the sweep exams OCIE conducted on cybersecurity issues. The sweep examined 57 registered broker-dealers and 49 registered investment advisers. The alert notes that OCIE will continue to examine cybersecurity issues during their risk based exams, consistent with the Office’s 2015 exam priorities. Findings from the exams indicate that most broker-dealers and registered investment advisers have adopted written information security policies. Additionally, while the “vast majority” or firms involved in the sweep conduct risk assessments for cybersecurity threats, fewer apply these standards to vendors. In fact, the sweep indicates that only 32% of advisers require risk assessments of vendors that have access to the adviser’s networks. The alert states that OCIE is still in the process of examining results “to discern correlations between the examined firms’ preparedness and controls and their size, complexity, or other characteristics.”
The results, particularly with respect to the cybersecurity policies of vendors, may appear to demonstrate that broker-dealer firms have more robust policies surrounding cybersecurity issues than registered investment advisers. However, the report does not account for how differences in the business models of these two types of businesses might be reflected in the results. In addition, the advisers examined were fairly small – about three quarters had AUM of less than $900 million. Finally, virtually none of the advisers examined advise mutual funds – of the total AUM of the 49 advisers examined, only 2% was accounted for by mutual funds they advise. As a result, the report may be of little relevance to fund directors.