The SEC Office of Compliance and Examinations (OCIE) is a government agency that performs official examinations of entities registered with the SEC, including investment advisors, mutual funds, exchange-traded funds, broker-dealers, transfer agents, active clearing agencies, and national securities exchanges. Examinations are scheduled annually and focus on prompting the implementation of risk-reduction policies that have four goals:
- Improving compliance
- Preventing fraud
- Monitoring risk
- Informing policy
Regarding OCIE cybersecurity, examinations emphasize the “proper configuration of network storage devices, information security governance, and policies and procedures related to retail trading information security.” With this in mind, here are four types of OCIE cybersecurity risks that SEC-registered firms should learn about, with the goal of implementing policies that create more secure IT systems and protocols for safer digital interactions within the systems.
1. Poorly Defined IT Policies and Procedures
OCIE cybersecurity examinations find that one of the primary cybersecurity risks for firms is having IT policies and procedures that offer only limited reference to safeguards for employees to follow, limited guidance for following them, and methods of intervention that are vague or limited in scope. Policies that are plagued by myopia and generality are ineffective.
2. Lack of Consistent IT Policy Enforcement
In some cases, a firm has well-articulated policies, but not a well-defined plan of action for implementing the policies to combat specific OCIE cybersecurity risks. This may result from having a IT small department that lacks the human resources to address the firm’s IT needs in a timely manner. It could also be a consequence of poorly defined execution of enforcement.
3. IT Policies that Don’t Align with Practices
To be implemented in a timely, efficacious manner, the cybersecurity policies of a firm must clearly reflect the business practices to which they are intended to apply. If they don’t, the lack of alignment between policies and practices virtually ensures that the former will not effectively inform the latter. This shows the need for cybersecurity policies to be tailor-made.
4. Failure to Implement Solutions for Change
Some firms are well-aware of the opportunity to implement specific policies that would improve cybersecurity. However, while the current level security may be insufficient, the lack of a major security event that would serve as a catalyst for change (such as a major theft of client data) results in a lack of urgency that keeps the current level of security unchanged.
Creating and Implementing Policies
For financial firms that don’t have in-house IT expertise, creating and implementing policies that address the OCIE cybersecurity risks can benefit from the assistance of third-party IT consultants. If you need assistance with deploying policies to address these and/or other risks, contact the IT experts at NIC today to schedule a free examination of your needs.
