The SEC shared observations from its most recent Cybersecurity Sweep (referred to as the “Initiative”) of 75 Investment Firms consisting of registered Investment Advisers, Investment Companies, and Broker-Dealers (collectively, “Investment Firms”). The SEC reiterated that Investment Firms should consider a wide range of information security practices, procedures and controls and — drawing from these options — should customize an appropriate Cybersecurity Program that is tailored to such Investment Firm’s operations, lines of business, unique risk profile and size.
- This shows us that the Cybersecurity Sweeps are continuing and Investment Firms should be prepared for these examination exercises.
- The SEC observed that although many Investment Firms have adopted Cybersecurity policies, procedures and practices, many are not regularly assessing and testing these controls.
- These Cybersecurity Sweeps revealed that generally, Broker-Dealers are designing and implementing customized Cybersecurity Programs at a higher rate than Investment Advisers and Investment Companies.
- The SEC also referred Investment Firms to its prior principal-based guidance materials regarding designing and developing a meaningful Cybersecurity Program. These materials, in the aggregate, provide a framework for the necessary elements of such a program.
Following the Wannacry epidemic that occurred on May 12th, which is being reported as the largest ransomware attack in history, the SEC swiftly stepped in to provide guidance to Investment Firms on how to address this specific threat.
Cipperman Compliance Services