Don't Forget to Share this Post

Notable Takeaways from the SEC's 2017 Cyber Security Sweep

By Matt Donahue | Tuesday, August 15th, 2017

Since 2014, the Securities and Exchange Commission (SEC) has made it clear that cybersecurity risk is a top priority, and now via their second round of examinations, the regulator has issued key observations to educate and inform financial firms and investment advisers of their growing expectations.

And while the SEC noted that, overall, firms demonstrated more preparedness than their first round of exams in 2014, gaps remain within cybersecurity programs, notably around employee training, patch management and vulnerability assessments.

Following are noteworthy takeaways from the SEC’s cyber exam sweep observations:

Cybersecurity Gaps Observed:

  • Many firms’ policies & procedures were considered too vague or generic and failed to include specific safeguard examples or implementation procedures.

  • The SEC observed a failure by firms to ensure employees complete annual information security training as well as a failure to take action with employees who did not comply with said requirements.

  • Unlike broker-dealers, the majority of advisers do not have incident response plans in place, which include plans for notifying customers and counterparties of breaches.

  • While most firms have implemented procedures for regular system maintenance and patch management, several firms failed to address significant numbers of critical security updates.

  • Exams also revealed the use of outdated operating systems no longer supported by security patches – a critical component to threat mitigation in the wake of ransomware outbreaks such as WannaCry.

  • Lack of timely remediation was also observed by firms whose vulnerability assessments revealed ‘high-risk’ findings.

Best Practice Observations/What Some Firms Are Doing Well:

  • Maintaining a complete inventory of data and information

  • Maintaining an inventory of service providers and what data they have access to

  • Properly tracked requests for system and network access as well as modification of access rights

  • Patch management policies that included: “among other things, the beta testing of a patch with a small number of users and servers before deploying it across the firm, an analysis of the problem the patch was designed to fix, the potential risk in applying the patch, and the method to use in applying the patch.”

  • A requirement for vendors to periodically provide logs of activity on firm networks

  • Mandatory employee security training both during the on-boarding process and on a regular basis

  • Appropriate engagement and approval from senior management on cyber policies and procedures

As a reminder, the SEC has previously outlined specific areas of focus for their cybersecurity examinations: (1) governance and risk assessment, (2) access rights and controls, (3) data loss prevention, (4) vendor management, (5) training and (6) incident response. With a focus on these areas, investment firms and advisers can build robust cyber programs to mitigate threats and satisfy these regulatory expectations.

For more information on how Eze Castle Integration can assist your firm in meeting these requirements, please visit

More articles on cybersecurity best practices for investment advisers:

Common Security Gaps

Don't Forget to Share this Post

Related Posts

How Can Eze Castle Integration help you?Contact us today!