A Look at OCIE's Cybersecurity Exam Sweep Findings: Hedge Funds Take Note
In its 2015 priorities, the SEC’s Office of Compliance Inspections and Examinations (OCIE) listed cybersecurity as a key focus area in its risk-based assessments. Then on February 3, 2015, OCIE released summary findings from its Cybersecurity Examination Sweep.
OCIE’s sweep focused on written documentation for their assessment and conducted "limited testing" of the accuracy of the responses. They did not review the technical sufficiency of the firms’ programs either. OCIE’s reliance on documentation highlights the importance of complete Written Information Security Policies.
Following are noteworthy items Eze Castle Integration observed in reviewing the findings.
49% of advisers did not discuss mitigating the effects of a cybersecurity incident and/or outline the plan to recover from such an incident in their written business continuity plans.
The vast majority of examined firms conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences. However, only 32% of advisers require cybersecurity risk assessments of vendors with access to their firms’ networks.
In the Written Information Security Plans (WISP) Eze Castle Integration creates for clients, we include service provider risk assessments as a standard element.
88% of broker-dealers and 74% of advisers stated that they have experienced cyber-attacks directly or through one or more of their vendors. The majority of the cyber-related incidents are related to malware and fraudulent emails.
25% of broker-dealers reported losses related to fraudulent emails and employees not following the firms’ procedures. While this is a small percentage, firms need to ensure they are training employees in addition to documenting the security policies and implementing tighter security.
Only 13% of advisers have policies and procedures related to information security training for vendors and business partners authorized to access their networks.
From our perspective, the low number (13%) is not surprising as smaller firms (i.e. hedge funds) do not have the resources to train their vendors, brokers or business partners. Rather, they are requiring these partner firms to train their own employees.
Only 30% of advisers have designated a CISO; rather, the advisers look to their CTO to assume responsibility or have another other senior officer (i.e. CCO, CEO, COO) liaise with a third-party consultant who is responsible for cybersecurity oversight.
This finding highlights the expectation of CTOs to serve as CISOs and highlights the evolving role of technologists within firms.
Only 21% of adviser respondents maintain insurance that covers losses and expenses attributable to cybersecurity incidents. Out of the broker-dealers and advisers, only one broker-dealer and one adviser reported that they had filed claims.
The staff is still reviewing the information to discern correlations between the examined firms’ preparedness and controls and their size, complexity, or other characteristics. As noted in OCIE’s 2015 priorities, they will continue to focus on cybersecurity using risk-based examinations.
Webinar on OCIE's Cybersecurity Sweep & Hedge Funds
Watch our webcast as we review the SEC's cybersecurity exam findings and best practices for managing a secure investment firm. Click here to View.