Top Stories
OBSERVATIONS FROM OCIE’S CYBERSECURITY 2 INITIATIVE
Published by Gbaf News
Posted on October 4, 2017
8 min readLast updated: January 21, 2026
Global Banking and Finance Review
Company
Published by Gbaf News
Posted on October 4, 2017
8 min readLast updated: January 21, 2026
By Michael R. Manley, partner and Blair R. Springer, associate, Venable, LLP
Michael R. Manley, partner, Venable, LLP
The United States Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently conducted its Cyber security 2 Initiative (Initiative). The Initiative consisted of an examination by OCIE of 75 businesses, including investment companies, investment advisers, and broker-dealers (collectively, the Firms). OCIE reported its observations from the Initiative in a recent Risk Alert. The Initiative focused on the Firms’ written policies and procedures regarding cyber security and included validation and testing that such policies and procedures were implemented and followed.
In general, OCIE observed that Firms had increased their cybersecurity preparedness since OCIE’s 2014 Cybersecurity 1 Initiative.However, OCIE noted specific areas where compliance and oversight could be improved. A summary of OCIE’s observations, including issues and robust practices identified by the organization, follows.
Observations
OCIE observed that most Firms conducted (i) periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and business consequences, and (ii) penetration tests and vulnerability scans. In addition, all Firms utilized some system, utility, or tool to prevent, detect, and monitor data loss related to personally identifiable information. In contrast, OCIE’s observations included several issues at many Firms, depending, in part, on the type of firm. For example:
Specific Issues Identified by OCIE
OCIE provided more detail with respect to many of the issues identified pursuant to the Initiative. For example, although most Firms kept up-to-date written policies and procedures for the protection of client data, many did not enforce those policies. OCIE noted that many of the Firms’ actual practices diverged from their stated goals. Additionally, OCIE noted that Firms should tailor their policies to their business and should avoid creating contradictory or confusing instructions for employees, particularly with respect to certain areas, such as remote access and investor fund transfers. Finally, some issues implicated Regulation S-P, including the use of outdated operating systems and the failure to correct high-risk vulnerabilities when identified.
Blair R. Springer, associate, Venable, LLP
Robust Policies and Procedures
OCIE also highlighted the following elements of robust cyber security policies and procedures:
The Initiative and OCIE’s related observations reinforce the priorities set forth in OCIE’s 2017 Priorities Letter (a copy of which can be accessed here). OCIE’s continued scrutiny of the industry’s cybersecurity programs, policies, and procedures merits ongoing diligence, assessments, and improvements by regulated firms. To read more about OCIE’s cybersecurity examination observations, click here.
By Michael R. Manley, partner and Blair R. Springer, associate, Venable, LLP
Michael R. Manley, partner, Venable, LLP
The United States Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently conducted its Cyber security 2 Initiative (Initiative). The Initiative consisted of an examination by OCIE of 75 businesses, including investment companies, investment advisers, and broker-dealers (collectively, the Firms). OCIE reported its observations from the Initiative in a recent Risk Alert. The Initiative focused on the Firms’ written policies and procedures regarding cyber security and included validation and testing that such policies and procedures were implemented and followed.
In general, OCIE observed that Firms had increased their cybersecurity preparedness since OCIE’s 2014 Cybersecurity 1 Initiative.However, OCIE noted specific areas where compliance and oversight could be improved. A summary of OCIE’s observations, including issues and robust practices identified by the organization, follows.
Observations
OCIE observed that most Firms conducted (i) periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and business consequences, and (ii) penetration tests and vulnerability scans. In addition, all Firms utilized some system, utility, or tool to prevent, detect, and monitor data loss related to personally identifiable information. In contrast, OCIE’s observations included several issues at many Firms, depending, in part, on the type of firm. For example:
Specific Issues Identified by OCIE
OCIE provided more detail with respect to many of the issues identified pursuant to the Initiative. For example, although most Firms kept up-to-date written policies and procedures for the protection of client data, many did not enforce those policies. OCIE noted that many of the Firms’ actual practices diverged from their stated goals. Additionally, OCIE noted that Firms should tailor their policies to their business and should avoid creating contradictory or confusing instructions for employees, particularly with respect to certain areas, such as remote access and investor fund transfers. Finally, some issues implicated Regulation S-P, including the use of outdated operating systems and the failure to correct high-risk vulnerabilities when identified.
Blair R. Springer, associate, Venable, LLP
Robust Policies and Procedures
OCIE also highlighted the following elements of robust cyber security policies and procedures:
The Initiative and OCIE’s related observations reinforce the priorities set forth in OCIE’s 2017 Priorities Letter (a copy of which can be accessed here). OCIE’s continued scrutiny of the industry’s cybersecurity programs, policies, and procedures merits ongoing diligence, assessments, and improvements by regulated firms. To read more about OCIE’s cybersecurity examination observations, click here.
Explore more articles in the Top Stories category
