This week the U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) announced the results from a sweep of U.S. broker-dealers and investment advisers on cybersecurity. The review of 57 broker-dealers and 49 investment advisers by the Cybersecurity Examination Initiative was initiated last April, with the questions published in an unprecedented risk alert, discussed here. The results from the review are in and although the SEC didn’t issue a grade, it appears the broker-dealers were better prepared for cybersecurity risks than the investment advisers.
Not surprisingly, nearly all broker-dealers (88 percent) and investment advisers (74 percent) reviewed had experienced cyber attacks, including fraudulent emails and malware. As a general rule, most broker-dealers (93 percent) and investment advisers (83 percent) had written information security policies in place. Many of these based their security framework on published cybersecurity risk management standards, such as those published by the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) and the Federal Financial Institutions Examination Council (FFIEC). It is no surprise that third-party risk assessments, reporting and information sharing, and cybersecurity insurance are the most discussed topics in this review.
Click here to read the full alert.