Cybersecurity: Are You Exposed?
Top 3 cybersecurity deficiencies identified by OCIE's recent cybersecurity examination sweep of 75 financial firms
In a recent post on the SEC’s latest report into financial firms’ cybersecurity preparedness, we gave a quick summary of the measures firms were found to be taking. It’s a handy way to benchmark whether what you’re doing is in line with the market – or even best practice.
But what about worst practice? Where are most firms exposed to cybersecurity risk and how could you be improving your game?
In its report OCIE, the SEC’s Office of Compliance Inspections and Examinations, highlighted three main areas where it saw firms falling short:
Information protection policies and procedures were not tailored enough – too vague, for example, or too narrow in scope
Firms didn't actually follow their policies and procedures, or put them in place – this included not carrying out reviews at the cited frequency or failing to follow through on stated requirements for cybersecurity training
Regulation S-P-related issues – such as failing to install patches for security vulnerabilities or to remediate high-risk findings from penetration tests and vulnerability scans
As OCIE emphasizes, cybersecurity remains a top priority at financial firms. Its teams will continue to carry out examinations at regulated firms, including testing their procedures. With cybercrime a growing risk, it pays to reduce your exposure as much as possible.
To read OCIE’s “Issues Observed” in full, take a look at pages 3-4 in the full report.