Connect with us

Top Stories



By Michael R. Manley, partner and Blair R. Springer, associate, Venable, LLP

Michael R. Manley, partner, Venable, LLP

Michael R. Manley, partner, Venable, LLP

The United States Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently conducted its Cyber security 2 Initiative (Initiative). The Initiative consisted of an examination by OCIE of 75 businesses, including investment companies, investment advisers, and broker-dealers (collectively, the Firms). OCIE reported its observations from the Initiative in a recent Risk Alert. The Initiative focused on the Firms’ written policies and procedures regarding cyber security and included validation and testing that such policies and procedures were implemented and followed.

In general, OCIE observed that Firms had increased their cybersecurity preparedness since OCIE’s 2014 Cybersecurity 1 Initiative.However, OCIE noted specific areas where compliance and oversight could be improved. A summary of OCIE’s observations, including issues and robust practices identified by the organization, follows.


OCIE observed that most Firms conducted (i) periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and business consequences, and (ii) penetration tests and vulnerability scans. In addition, all Firms utilized some system, utility, or tool to prevent, detect, and monitor data loss related to personally identifiable information. In contrast, OCIE’s observations included several issues at many Firms, depending, in part, on the type of firm. For example:

  • A number of Firms did not appear to fully remediate risks discovered from tests and scans.
  • A number of Firms failed to install critical software security patches in connection with regular system maintenance.
  • Many advisers and funds did not appear to maintain their incident response plans related to data breach incidents and notifying customers or clients.
  • Some Firms did not appear to memorialize, as part of their written supervisory procedures, their authority to transfer client/customer funds to third-party accounts.

Specific Issues Identified by OCIE

OCIE provided more detail with respect to many of the issues identified pursuant to the Initiative. For example, although most Firms kept up-to-date written policies and procedures for the protection of client data, many did not enforce those policies. OCIE noted that many of the Firms’ actual practices diverged from their stated goals. Additionally, OCIE noted that Firms should tailor their policies to their business and should avoid creating contradictory or confusing instructions for employees, particularly with respect to certain areas, such as remote access and investor fund transfers. Finally, some issues implicated Regulation S-P, including the use of outdated operating systems and the failure to correct high-risk vulnerabilities when identified.

Blair R. Springer, associate, Venable, LLP

Blair R. Springer, associate, Venable, LLP

Robust Policies and Procedures

OCIE also highlighted the following elements of robust cyber security policies and procedures:

  • Firms generally kept a complete inventory of data and information and classified it by risk, vulnerabilities, and other criteria.
  • Firms’ policies and procedures included detailed cybersecurity-related instructions, including with respect to penetration tests, security monitoring and system auditing, access rights, and reporting.
  • Many Firms maintained schedules and processes for testing data integrity and vulnerabilities, such as scans of core IT infrastructure and patch management policies.
  • Other Firms required strict controls, including passwords and other encryption, for mobile devices that connected to the Firms’ systems.
  • Finally, some Firms strictly traced an employee’s access rights throughout his or her time with the company, noting how and when the rights changed.

The Initiative and OCIE’s related observations reinforce the priorities set forth in OCIE’s 2017 Priorities Letter (a copy of which can be accessed here). OCIE’s continued scrutiny of the industry’s cybersecurity programs, policies, and procedures merits ongoing diligence, assessments, and improvements by regulated firms. To read more about OCIE’s cybersecurity examination observations, click here.

About the Authors
Michael Manley is a partner headquartered in Venable’s New York office and is a member of the firm’s Corporate Group. Mr. Manley leverages his prior experience as a President, General Counsel and Chief Compliance Officer to efficiently solve problems and craft practical solutions for his clients. He offers general counsel services to his clients providing day-to-day advice and guidance on all corporate matters, including corporate governance, litigation strategy, M&A, employment, IP, service provider agreements, financing arrangements, and enterprise risk management.
Blair Springer is an associate in Venable’s Corporate Group in New York. His practice focuses on corporate finance, mergers and acquisitions, private equity and venture capital transactions, and tax.
Editorial & Advertiser disclosure
Our website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.
Global Banking and Finance Review Awards Nominations 2021
2021 Awards now open. Click Here to Nominate


Newsletters with Secrets & Analysis. Subscribe Now