Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Top Stories

OBSERVATIONS FROM OCIE’S CYBERSECURITY 2 INITIATIVE 
OBSERVATIONS FROM OCIE'S CYBERSECURITY 2 INITIATIVE 

Published : , on

By Michael R. Manley, partner and Blair R. Springer, associate, Venable, LLP

Michael R. Manley, partner, Venable, LLP

Michael R. Manley, partner, Venable, LLP

The United States Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently conducted its Cyber security 2 Initiative (Initiative). The Initiative consisted of an examination by OCIE of 75 businesses, including investment companies, investment advisers, and broker-dealers (collectively, the Firms). OCIE reported its observations from the Initiative in a recent Risk Alert. The Initiative focused on the Firms’ written policies and procedures regarding cyber security and included validation and testing that such policies and procedures were implemented and followed.

In general, OCIE observed that Firms had increased their cybersecurity preparedness since OCIE’s 2014 Cybersecurity 1 Initiative.However, OCIE noted specific areas where compliance and oversight could be improved. A summary of OCIE’s observations, including issues and robust practices identified by the organization, follows.

Observations

OCIE observed that most Firms conducted (i) periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and business consequences, and (ii) penetration tests and vulnerability scans. In addition, all Firms utilized some system, utility, or tool to prevent, detect, and monitor data loss related to personally identifiable information. In contrast, OCIE’s observations included several issues at many Firms, depending, in part, on the type of firm. For example:

  • A number of Firms did not appear to fully remediate risks discovered from tests and scans.
  • A number of Firms failed to install critical software security patches in connection with regular system maintenance.
  • Many advisers and funds did not appear to maintain their incident response plans related to data breach incidents and notifying customers or clients.
  • Some Firms did not appear to memorialize, as part of their written supervisory procedures, their authority to transfer client/customer funds to third-party accounts.

Specific Issues Identified by OCIE

OCIE provided more detail with respect to many of the issues identified pursuant to the Initiative. For example, although most Firms kept up-to-date written policies and procedures for the protection of client data, many did not enforce those policies. OCIE noted that many of the Firms’ actual practices diverged from their stated goals. Additionally, OCIE noted that Firms should tailor their policies to their business and should avoid creating contradictory or confusing instructions for employees, particularly with respect to certain areas, such as remote access and investor fund transfers. Finally, some issues implicated Regulation S-P, including the use of outdated operating systems and the failure to correct high-risk vulnerabilities when identified.

Blair R. Springer, associate, Venable, LLP

Blair R. Springer, associate, Venable, LLP

Robust Policies and Procedures

OCIE also highlighted the following elements of robust cyber security policies and procedures:

  • Firms generally kept a complete inventory of data and information and classified it by risk, vulnerabilities, and other criteria.
  • Firms’ policies and procedures included detailed cybersecurity-related instructions, including with respect to penetration tests, security monitoring and system auditing, access rights, and reporting.
  • Many Firms maintained schedules and processes for testing data integrity and vulnerabilities, such as scans of core IT infrastructure and patch management policies.
  • Other Firms required strict controls, including passwords and other encryption, for mobile devices that connected to the Firms’ systems.
  • Finally, some Firms strictly traced an employee’s access rights throughout his or her time with the company, noting how and when the rights changed.

The Initiative and OCIE’s related observations reinforce the priorities set forth in OCIE’s 2017 Priorities Letter (a copy of which can be accessed here). OCIE’s continued scrutiny of the industry’s cybersecurity programs, policies, and procedures merits ongoing diligence, assessments, and improvements by regulated firms. To read more about OCIE’s cybersecurity examination observations, click here.

About the Authors
Michael Manley is a partner headquartered in Venable’s New York office and is a member of the firm’s Corporate Group. Mr. Manley leverages his prior experience as a President, General Counsel and Chief Compliance Officer to efficiently solve problems and craft practical solutions for his clients. He offers general counsel services to his clients providing day-to-day advice and guidance on all corporate matters, including corporate governance, litigation strategy, M&A, employment, IP, service provider agreements, financing arrangements, and enterprise risk management.
 
Blair Springer is an associate in Venable’s Corporate Group in New York. His practice focuses on corporate finance, mergers and acquisitions, private equity and venture capital transactions, and tax.

Uma Rajagopal has been managing the posting of content for multiple platforms since 2021, including Global Banking & Finance Review, Asset Digest, Biz Dispatch, Blockchain Tribune, Business Express, Brands Journal, Companies Digest, Economy Standard, Entrepreneur Tribune, Finance Digest, Fintech Herald, Global Islamic Finance Magazine, International Releases, Online World News, Luxury Adviser, Palmbay Herald, Startup Observer, Technology Dispatch, Trading Herald, and Wealth Tribune. Her role ensures that content is published accurately and efficiently across these diverse publications.

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: . You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post