SEC Cybersecurity Best Practice Findings
The US SEC via its inspections arm – the OCIE – has published a summary of observations from its examinations from 2014 onwards of cybersecurity compliance among brokers and investment advisers. Many of the observations are useful for Asian based firms and could be used as guidance on best practice particularly for those firms which are US registered.
- Since 2014, there has been an increase in cybersecurity awareness and nearly all firms now have implemented:
- Written policies and procedures on protection of client and investor records and information.
- Periodic assessments of critical systems to identify cybersecurity threats.
- Some form of system to prevent and monitor data loss relating to clients’ personal data.
- A process for regular system maintenance, including the installation of software patches to address system vulnerability.
- Information protection programs that included cyber-related business continuity plans and incident response plans.
- Cybersecurity organizational charts with defined cybersecurity roles and responsibilities.
- Policies and procedures for verifying the authenticity of a client or investor requesting a transfer of funds.
- Vendor risk assessments.