The SEC published a National Exam Program Risk Alert describing the results of cybersecurity exams of 75 broker-dealers and investment advisors on August 7, 2017. “National Exam Program Risk Alert, Observations from Cybersecurity Examinations,” (SEC August 7, 2017)
This report is useful in evaluating your investment advisory firm’s cybersecurity policies. Two issues received particular attention from the SEC in the report: (1) the need to make sure that security patches and upgrades are timely installed on all firm computer systems, and (2) the need for firms to tailor policies and procedures to actual practices (or vice versa).
With regard to security patches, your cybersecurity policies and procedures should address this issue. To the extent that IT operations are outsourced, we recommend that the contracts with the IT vendor (1) specify the installation of software and security updates and patches as part of the vendor’s duties, and (2) require regular verification of updates (at least quarterly). You may recall that the WannaCry virus in May spread because of incomplete installation of security patches and updates.
With regard to the enforcement of cybersecurity policies and procedures, the CCO should review the firm’s cybersecurity procedures to make sure that they accurately reflect the firm’s practices. If necessary, the CCO may have to provide additional training to staff to make sure that policies and procedures are followed.
The SEC also provides other observations on the content and effectiveness of cybersecurity policies that are useful to consider.
Please contact John Anjier if you would like further information.
Disclaimer: This Blog/Web Site is made available by the law firm of Liskow & Lewis, APLC (“Liskow & Lewis”) and the individual Liskow & Lewis lawyers posting to this site for educational purposes and to give you general information and a general understanding of the law only, not to provide specific legal advice as to an identified problem or issue. By using this blog site you understand and acknowledge that there is no attorney client relationship formed between you and Liskow & Lewis and/or the individual Liskow & Lewis lawyers posting to this site by virtue of your using this site. The Blog/Web Site should not be used as a substitute for legal advice from a licensed professional attorney in your state regarding a particular matter.