SEC Alert Details ‘Robust’ Cybersecurity Best Practices

SEC examiners noted an "overall improvement in firms' awareness of cyber-related risks and the implementation of certain cybersecurity practices" since the Cybersecurity 1 Initiative.

All broker-dealers, all funds and nearly all advisors examined maintained cybersecurity-related written policies and procedures addressing the protection of customer/shareholder records and information, the alert said.

However, while written policies and procedures were maintained addressing cyber-related protection of customer/shareholder records and information, "a majority of the firms' information protection policies and procedures appeared to have issues," the alert states.

For instance, policies and procedures were not "reasonably tailored because they provided employees with only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague, as they did not articulate procedures for implementing the policies."

Also, firms "did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms' actual practices," the alert said.

The alert pointed the following examples of "robust controls" that firms may want to consider as they continue to implement cybersecurity-related policies and procedures:

• Maintenance of an inventory of data, information and vendors. Policies and procedures included a complete inventory of data and information, along with classifications of the risks.
• Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities.
• Established and enforced controls to access data and systems.
• Mandatory employee training.
• Engaged senior management. The policies and procedures were vetted and approved by senior management.

— Related on ThinkAdvisor:

• Defending Your Digital Data: Part 1
• Defending Your Digital Data: Part 2