SEC’s OCIE Releases Key Observations from 2015-2016 Cybersecurity Examinations

August 8, 2017

The U.S. Securities and Exchange Commission's (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert on August 7 containing a summary of its observations from their phase 2 cybersecurity examinations conducted in 2015 and 2016. OCIE examined 75 firms, including broker-dealers, investment advisers, and funds registered with the SEC. This second phase of examinations built upon the first phase examinations and focused on cybersecurity policies and procedures.

OCIE staff noted that firms examined in their phase 2 initiative were better positioned than in their phase 1 initiative from 2014. For example, most firms examined conducted risk assessments, had adopted policies and procedures, and had implemented some form of vendor diligence and management. However, OCIE staff did note that the majority of firms examined had one or more issues.

Key OCIE staff observations include:

  • Gaps in policies and procedures — While nearly all firms examined maintain written policies and procedures addressing the protection of their data, a majority these policies and procedures had issues including not being reasonably tailored or not reflecting the firms' actual practices. OCIE staff noted certain specific examples, such as when cybersecurity training is mandated by policies on an annual basis, but was not periodically conducted.
  • Issues related to Regulation S-P — OCIE staff observed that some firms examined did not conduct adequate system maintenance, including timely installation of software patches and security vulnerabilities. In particular, OCIE staff noted a lack of remediation of high-priority findings raised by vulnerability assessments or penetration tests.

OCIE staff also noted the following practices regarding policies and procedures at certain firms that other firms may want to consider implementing:

  • Maintenance of an inventory of data, information, and vendors;
  • Detailed cybersecurity-related testing and planning, such as periodic penetration testing, access control reviews, and incident response planning;
  • Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities;
  • Established and enforced controls to access data and systems, including adoption of an Acceptable Use Policy;
  • Mandatory employee training; and
  • Promotion of a culture of security by senior management.

ACA Aponix Commentary

The OCIE staff observations are consistent with industry surveys, including the ACA Aponix / NSCP cybersecurity survey and the IAA / ACA Compliance Group / OMAM investment adviser survey.

How ACA Aponix Can Help

ACA Aponix can assist with the following key areas noted by the OCIE staff observations:

  • Periodic risk assessments;
  • Cyber-related policies and procedures, including incident response plans;
  • Periodic penetration testing and vulnerability assessments;
  • Periodic training sessions;
  • Vendor diligence; and
  • Mock SEC cyber examinations.

If you have any questions, please contact your ACA Aponix consultant or email us at