BROWSE BY TOPIC
Stories of Interest
- Goldman's Lloyd Blankfein Seems to be Making a Habit Out of Trolling Trump
- Goldman on Hunt for Star Traders to Revive Struggling Commodities Unit
- Yahoo Owes Millions for Busting NCAA Tourney Bracket Deal
- JPMorgan Joins 21st Century Fox in Fighting 'Deep Divisions Across Our Country'
- Please, God, Save Gary Cohn From Himself: The Case for Resigning
- Regulatory Considerations When Bringing on a New Advisor
- Why Deutsche Bank is at Mercy of Regulators
- U.S. Treasury Auction Class-Action – Federal Judge Causes Interminable Delay
- Mnuchin Rejects Calls to Resign and Defends Trump
- Best Time to Go to the U.S. (Tennis) Open Tourney - Before It Starts on August 28
- Stifel Prevails in Arbitration But Ex-Hilltop Employees Hit with Awards - Bill Singer
- Banca IMI Securities to Pay $35Mn for Improper Handling of ADRs in Continuing SEC Crackdown
- Members of White House ‘Arts Panel’ Resign En Masse in Protest of Trump
- FINRA Whiffs on Disciplinary Sanction: Bill Singer's 'Negligent Market Manipulation in OTC Stock Promotion'
- Heather Heyer’s Mother Says, ‘I’m Not Talking to the President’
- Goldman Sachs May Have Lost $100Mn on Energy Bet Gone Wrong
- SEC Drops Case Against Ex-JPMorgan Traders Over 'London Whale'
- Financial Advisers That Invest in Technology Need to Accomplish These Two Things
- FINRA Amends Codes Regarding Expedited Arbitrator List Selection
- FINRA July 2017 Quarterly Disciplinary Review (Podcast)
We seek to provide information, insights and direction that may enable the Financial Community to effectively and efficiently operate in a regulatory risk-free environment by curating content from all over the web.
Stay Informed with the latest fanancialish news.
NEWSLETTERS & ALERTS
SEC Observations from Cybersecurity Exams of Brokers, Advisors, Funds
On Monday, OCIE issued its findings on the cybersecurity preparedness of financial services firms – including preparedness including broker-dealers (B/Ds), investment advisers (RIAs), and investment companies (RICs) registered with the SEC.
As part of its Cybersecurity 2 Initiative, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) examined 75 firms to assess industry practices and legal and compliance issues associated with cybersecurity preparedness. The "Cybersecurity 2 Initiative" built upon prior cybersecurity examinations, particularly OCIE’s 2014 "Cybersecurity 1 Initiative."
The examinations focused on the firms’ written policies and procedures (WSPs) regarding cybersecurity, including validating and testing that such policies and procedures were implemented and followed. In addition, the staff sought to better understand how firms managed their cybersecurity preparedness by focusing on the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.
ELEMENTS OF ROBUST POLS AND PROCEDURES (BEST PRACTICES). During these examinations, the staff observed several elements that were included in the pols and procedures of firms that the staff believes had implemented robust controls. Firms may wish to consider the following elements as they could be useful in the implementation of cybersecurity-related pols and procedures.
- Maintenance of an inventory of data, information, and vendors. Pols and procedures included a complete inventory of data and information, along with classifications of the risks, vulnerabilities, data, business consequences, and information regarding each service provider and vendor, if applicable.
- Detailed cybersecurity-related instructions. Examples included:
► Penetration tests – pols and procedures included specific information to review the effectiveness of security solutions.
► Security monitoring and system auditing – pols and procedures regarding the firm’s information security framework included details related to the appropriate testing methodologies.
► Access rights – requests for access were tracked, and pols and procedures specifically addressed modification of access rights, such as for employee on-boarding, changing positions or responsibilities, or terminating employment.
► Reporting – pols and procedures specified actions to undertake, including who to contact, if sensitive information was lost, stolen, or unintentionally disclosed/misdirected.
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities. Examples included:
► Vulnerability scans of core IT infrastructure were required to aid in identifying potential weaknesses in a firm’s key systems, with prioritized action items for any concerns identified.
► Patch management policies that included, among other things, the beta testing of a patch with a small number of users and servers before deploying it across the firm, an analysis of the problem the patch was designed to fix, the potential risk in applying the patch, and the method to use in applying the patch.
- Established and enforced controls to access data and systems. For example, the firms:
► Implemented detailed “acceptable use” policies that specified employees’ obligations when using the firm’s networks and equipment.
► Required and enforced restrictions and controls for mobile devices that connected to the firms’ systems, such as passwords and software that encrypted communications.
► Required third-party vendors to periodically provide logs of their activity on the firms’ networks.
► Required immediate termination of access for terminated employees and very prompt (typically same day) termination of access for employees that left voluntarily.
- Mandatory employee training. Information security training was mandatory for all employees at on-boarding and periodically thereafter, and firms instituted pols and procedures to ensure that employees completed the mandatory training.
- Engaged senior management. The pols and procedures were vetted and approved by senior management.