OCIE Risk Alert Highlights Cybersecurity Shortcomings; GAO Report Assesses SEC's Cyber Preparedness

The SEC’s Office of Compliance Inspections and Examinations issued a Risk Alert based on staff examinations of broker-dealers, investment advisers, and investment companies to assess industry practices and legal and compliance issues associated with cybersecurity preparedness. OCIE reported that the examinations involved validation and testing of procedures and controls surrounding cybersecurity preparedness. OCIE observed an overall improvement in firms’ awareness of cyber risks and the implementation of certain cybersecurity practices among the 75 firms examined. However, the staff also observed areas where compliance and oversight could be improved. For example, policies and procedures were not reasonably tailored and provided only generalized guidance; certain firms did not appear to adhere to or enforce their own policies and procedures; and certain firms did not appear to adequately conduct system maintenance.

Meanwhile, a report of the U.S. General Accounting Office found that the SEC improved security controls over its key financial systems and information, and as of September 2016, the Commission had resolved 47 of 58 recommendations GAO had previously made. However, the GAO audit found new deficiencies and it reported that the SEC “had not fully implemented 11 recommendations that included consistently protecting its network boundaries from possible intrusions, identifying and authenticating users, authorizing access to resources, auditing and monitoring actions taken on its systems and network, or encrypting sensitive information while in transmission.”  In a letter to the GAO, Chief Information Officer Pamela Dyson said the SEC has corrected or plans to correct the deficiencies.