The Securities Exchange Commission (“SEC”), Office of Compliance Inspections and Examinations (the “OCIE”), published a Risk Alert describing its findings from its second cybersecurity survey of regulated entities (the “Cybersecurity 2 Initiative”).
The survey covered 75 registered broker-dealers, investment advisers, and investment companies and built upon OCIE’s prior round of cybersecurity examinations in 2014 (the “Cybersecurity 1 Initiative”).
While OCIE found improvements in cybersecurity preparedness since the Cybersecurity 1 Initiative, it also identified areas for improvement. Among other things, OCIE concluded that it is not sufficient for firms to simply establish written cybersecurity policies and procedures—such policies must also be maintained, sensibly enforced, and capable of addressing cybersecurity deficiencies as they arise.