OBSERVATIONS FROM CYBERSECURITY EXAMINATIONS

Transcription

1 By the Office f Cmpliance Inspectins and Examinatins ( OCIE ) 1 This Risk Alert prvides a summary f bservatins Vlume VI, Issue 5 August 7, 2017 frm OCIE s examinatins OBSERVATIONS FROM f registered brkerdealers, investment CYBERSECURITY EXAMINATIONS advisers, and investment cmpanies cnducted I. Intrductin pursuant t the In OCIE s Cybersecurity 2 Initiative, Natinal Examinatin Prgram staff Cybersecurity examined 75 firms, including brker-dealers, investment advisers, and Examinatin Initiative investment cmpanies ( funds ) registered with the SEC t assess industry annunced n practices and legal and cmpliance issues assciated with cybersecurity September 15, preparedness. 2 The Cybersecurity 2 Initiative built upn prir cybersecurity examinatins, particularly OCIE s 2014 Cybersecurity 1 Initiative. 3 Hwever, the Cybersecurity 2 Initiative examinatins invlved mre validatin and testing f prcedures and cntrls surrunding cybersecurity preparedness than was previusly perfrmed. The examinatins fcused n the firms written plicies and prcedures regarding cybersecurity, including validating and testing that such plicies and prcedures were implemented and fllwed. In additin, the staff sught t better understand hw firms managed their cybersecurity preparedness by fcusing n the fllwing areas: (1) gvernance and risk assessment; (2) access rights and cntrls; (3) data lss preventin; (4) vendr management; (5) training; and (6) incident respnse. In general, the staff bserved increased cybersecurity preparedness since ur 2014 Cybersecurity 1 Initiative. Hwever, the staff als bserved areas where cmpliance and versight culd be imprved. This Risk Alert prvides a summary f the staff s bservatins frm the Cybersecurity 2 Initiative The views expressed herein are thse f the staff f OCIE, in crdinatin with ther staff f the Securities and Exchange Cmmissin ( SEC r Cmmissin ). The Cmmissin has expressed n view n the cntents f this Risk Alert. This dcument was prepared by the SEC staff and is nt legal advice. See OCIE, Examinatin Pririties fr 2015 (January 13, 2015) and Natinal Exam Prgram Risk Alert, OCIE s 2015 Cybersecurity Examinatin Initiative (September 15, 2015). A few f the staff s bservatins discussed herein were previusly discussed in a recent Natinal Exam Prgram Risk Alert, Cybersecurity: Ransmware Alert (May 17, 2017). See OCIE, OCIE Cybersecurity Initiative (April 15, 2014) and Natinal Exam Prgram Risk Alert, Cybersecurity Examinatin Sweep Summary (February 3, 2015). The staff examined a different ppulatin f firms in the Cybersecurity 2 Initiative than thse that were examined in the Cybersecurity 1 Initiative.

2 examinatins and highlights certain issues bserved as well as certain plicies and prcedures that the staff believes may be effective. 4 II. Summary f Examinatin Observatins Amng the 75 firms examined, the staff nted an verall imprvement in firms awareness f cyberrelated risks and the implementatin f certain cybersecurity practices since the Cybersecurity 1 Initiative. Mst ntably, all brker-dealers, all funds, and nearly all advisers examined maintained cybersecurityrelated written plicies and prcedures addressing the prtectin f custmer/sharehlder recrds and infrmatin. This cntrasts with the staff s bservatins in the Cybersecurity 1 Initiative, in which cmparatively fewer brker-dealers and advisers had adpted this type f written plicies and prcedures. In the examinatins, the staff bserved: Nearly all brker-dealers and the vast majrity f advisers and funds cnducted peridic risk assessments f critical systems t identify cybersecurity threats, vulnerabilities, and the ptential business cnsequences f a cyber incident. Nearly all brker-dealers and almst half f the advisers and funds cnducted penetratin tests and vulnerability scans n systems that the firms cnsidered t be critical, althugh a number f firms did nt appear t fully remediate sme f the high risk bservatins that they discvered frm these tests and scans during the review perid. All firms utilized sme frm f system, utility, r tl t prevent, detect, and mnitr data lss as it relates t persnally identifiable infrmatin. All brker-dealers and nearly all advisers and funds had a prcess in place fr ensuring regular system maintenance, including the installatin f sftware patches t address security vulnerabilities. Hwever, the staff bserved that a few f the firms had a significant number f system patches that, accrding t the firms, included critical security updates that had nt yet been installed. Infrmatin prtectin prgrams at the firms typically included relevant cyber-related tpics, such as: Plicies and prcedures. Nearly all firms plicies and prcedures addressed cyber-related business cntinuity planning and Regulatin S-P. 5 In additin, nearly all brker-dealers and 4 5 The examinatins were cnducted between September 2015 and June 2016 and generally cvered the review perid Octber 1, 2014 thrugh September 30, See 17 C.F.R. Part 248, Subpart A Regulatin S P: Privacy f Cnsumer Financial Infrmatin and Safeguarding Persnal Infrmatin. See als Dispsal f Cnsumer Reprt Infrmatin, Securities Exchange Act f 1934 ( Exchange Act ) Release N , Investment Advisers Act f 1940 ( Advisers Act ) Release N. 2332, Investment Cmpany Act f 1940 ( Investment Cmpany Act ) Release N (December 2, 2004), 69 Fed. Reg (December 8, 2004) and Privacy f Cnsumer Financial Infrmatin (Regulatin S- P), Exchange Act Release N , Investment Cmpany Act Release N , Advisers Act Release N (June 22, 2000), 65 Fed. Reg (June 29, 2000). 2

3 mst advisers and funds had specific cybersecurity and Regulatin S-ID 6 plicies and prcedures. Respnse plans. Nearly all f the firms had plans fr addressing access incidents. In additin, the vast majrity f firms had plans fr denial f service incidents and unauthrized intrusins. Hwever, while the vast majrity f brker-dealers maintained plans fr data breach incidents and mst had plans fr ntifying custmers f material events, less than twthirds f the advisers and funds appeared t maintain such plans. All brker-dealers and a large majrity f advisers and funds maintained cybersecurity rganizatinal charts and/r identified and described cybersecurity rles and respnsibilities fr the firms wrkfrce. The vast majrity f brker-dealers and nearly tw-thirds f the advisers and funds had authrity frm custmers/sharehlders t transfer funds t third party accunts. Sme f the brker-dealers did nt appear t memrialize their prcesses int written supervisry prcedures. Rather, these brker-dealers appeared t have infrmal practices fr verifying custmers identities in rder t prceed with requests t transfer funds. All f the advisers and funds maintained plicies, prcedures, and standards related t verifying the authenticity f a custmer/sharehlder wh was requesting t transfer funds. III. Almst all firms either cnducted vendr risk assessments r required that vendrs prvide the firms with risk management and perfrmance reprts (i.e., internal and/r external audit reprts) and security reviews r certificatin reprts. While vendr risk assessments are typically cnducted at the utset f a relatinship, ver half f the firms als required updating such risk assessments n at least an annual basis. Issues Observed The staff bserved ne r mre issues in the vast majrity f the Cybersecurity 2 Initiative examinatins. Highlighted belw are issues the staff believes firms wuld benefit frm cnsidering in rder t assess and imprve their plicies, prcedures, and practices. While, as nted abve, all brker-dealers and funds, and nearly all advisers maintained written plicies and prcedures addressing cyber-related prtectin f custmer/sharehlder recrds and infrmatin, a majrity f the firms infrmatin prtectin plicies and prcedures appeared t have issues. Examples included: Plicies and prcedures were nt reasnably tailred because they prvided emplyees with nly general guidance, identified limited examples f safeguards fr emplyees t cnsider, were very narrwly scped, r were vague, as they did nt articulate prcedures fr implementing the plicies. 6 See 17 C.F.R. Part 248, Subpart C Regulatin S ID: Identity Theft Red Flags. See als Identity Theft Red Flags Rules, Exchange Act Release N , Advisers Act Release N. 3582, Investment Cmpany Act Release N (April 10, 2013), 78 Fed. Reg (April 19, 2013). 3

4 Firms did nt appear t adhere t r enfrce plicies and prcedures, r the plicies and prcedures did nt reflect the firms actual practices, such as when the plicies: Required annual custmer prtectin reviews; hwever, in practice, they were cnducted less frequently. Required nging reviews t determine whether supplemental security prtcls were apprpriate; hwever, such reviews were perfrmed nly annually, r nt at all. Created cntradictry r cnfusing instructins fr emplyees, such as plicies regarding remte custmer access that appeared t be incnsistent with thse fr investr fund transfers, making it unclear t emplyees whether certain activity was permissible. Required all emplyees t cmplete cybersecurity awareness training; hwever, firms did nt appear t ensure this ccurred and take actin cncerning emplyees wh did nt cmplete the required training. The staff als bserved Regulatin S-P-related issues amng firms that did nt appear t adequately cnduct system maintenance, such as the installatin f sftware patches t address security vulnerabilities and ther peratinal safeguards t prtect custmer recrds and infrmatin. Examples included: Stale Risk Assessments. Using utdated perating systems that were n lnger supprted by security patches. Lack f Remediatin Effrts. High-risk findings frm penetratin tests r vulnerability scans that did nt appear t be fully remediated in a timely manner. IV. Elements f Rbust Plicies and Prcedures 7 During these examinatins, the staff bserved several elements that were included in the plicies and prcedures f firms that the staff believes had implemented rbust cntrls. Firms may wish t cnsider the fllwing elements as they culd be useful in the implementatin f cybersecurity-related plicies and prcedures. 8 Maintenance f an inventry f data, infrmatin, and vendrs. Plicies and prcedures included a cmplete inventry f data and infrmatin, alng with classificatins f the risks, 7 8 This is nt intended t be a cmprehensive list f the elements f rbust cybersecurity plicies and prcedures. The adequacy f supervisry, cmpliance, and ther risk management plicies and prcedures can be determined nly with reference t the prfile f each specific firm and ther facts and circumstances. Firms may als wish t cnsider the guidance and infrmatin issued by the SEC s Divisin f Investment Management and the cybersecurity issues discussed in Cmmissin rders in settled enfrcement prceedings. See, e.g., IM Guidance Update: Cybersecurity Guidance (April 2015), In re Mrgan Stanley Smith Barney LLC, Exchange Act Release N , Advisers Act Release N (June 8, 2016), In re R.T. Jnes Capital Equities Management Inc., Advisers Act Release N (September 22, 2015), and In re Craig Sctt Capital LLC, Exchange Act Release N (April 12, 2016). 4

5 vulnerabilities, data, business cnsequences, and infrmatin regarding each service prvider and vendr, if applicable. Detailed cybersecurity-related instructins. Examples included: Penetratin tests plicies and prcedures included specific infrmatin t review the effectiveness f security slutins. Security mnitring and system auditing plicies and prcedures regarding the firm s infrmatin security framewrk included details related t the apprpriate testing methdlgies. Access rights requests fr access were tracked, and plicies and prcedures specifically addressed mdificatin f access rights, such as fr emplyee n-barding, changing psitins r respnsibilities, r terminating emplyment. Reprting plicies and prcedures specified actins t undertake, including wh t cntact, if sensitive infrmatin was lst, stlen, r unintentinally disclsed/misdirected. Maintenance f prescriptive schedules and prcesses fr testing data integrity and vulnerabilities. Examples included: Vulnerability scans f cre IT infrastructure were required t aid in identifying ptential weaknesses in a firm s key systems, with priritized actin items fr any cncerns identified. Patch management plicies that included, amng ther things, the beta testing f a patch with a small number f users and servers befre deplying it acrss the firm, an analysis f the prblem the patch was designed t fix, the ptential risk in applying the patch, and the methd t use in applying the patch. Established and enfrced cntrls t access data and systems. Fr example, the firms: Implemented detailed acceptable use plicies that specified emplyees bligatins when using the firm s netwrks and equipment. Required and enfrced restrictins and cntrls fr mbile devices that cnnected t the firms systems, such as passwrds and sftware that encrypted cmmunicatins. Required third-party vendrs t peridically prvide lgs f their activity n the firms netwrks. Required immediate terminatin f access fr terminated emplyees and very prmpt (typically same day) terminatin f access fr emplyees that left vluntarily. Mandatry emplyee training. Infrmatin security training was mandatry fr all emplyees at n-barding and peridically thereafter, and firms instituted plicies and prcedures t ensure that emplyees cmpleted the mandatry training. Engaged senir management. The plicies and prcedures were vetted and apprved by senir management. 5

6 V. Cnclusin Cybersecurity remains ne f the tp cmpliance risks fr financial firms. 9 As nted in OCIE s 2017 pririties, OCIE will cntinue t examine fr cybersecurity cmpliance prcedures and cntrls, including testing the implementatin f thse prcedures and cntrls at firms. 10 This Risk Alert is intended t highlight fr firms the risks and issues that the staff identified during examinatins f brker-dealers, investment advisers, and investment cmpanies regarding cybersecurity preparedness. In additin, this Risk Alert describes factrs that firms may cnsider t (1) assess their supervisry, cmpliance and/r ther risk management systems related t cybersecurity risks, and (2) make any changes, as may be apprpriate, t address r strengthen such systems. These factrs are nt exhaustive, nr will they cnstitute a safe harbr. Factrs ther than thse described in this Risk Alert may be apprpriate t cnsider, and sme f the factrs may nt be applicable t a particular firm s business. While sme f the factrs discussed in this Risk Alert reflect existing regulatry requirements, they are nt intended t alter such requirements. Mrever, future changes in laws r regulatins may supersede sme f the factrs r issues raised herein. The adequacy f supervisry, cmpliance, and ther risk management systems can be determined nly with reference t the prfile f each specific firm and ther facts and circumstances See, e.g., Investment Adviser Assciatin, ACA Cmpliance Grup, and OMAM, 2016 Investment Management Cmpliance Testing Survey (June 23, 2016), which synthesizes 730 adviser cmpliance prfessinals respnses t 94 cmpliance-related questins. Q94: 88% f advisers view cybersecurity, privacy, and identity theft as the httest cmpliance tpic fr OCIE, Examinatin Pririties fr 2017 (January 12, 2017). 6