On August 7, 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of the US Securities and Exchange Commission (“SEC”) announced the results of its second cybersecurity examination initiative.1 This initiative built on the SEC’s 2014 cybersecurity examination initiative (“Cybersecurity 1 Initiative”) but “involved more validation and testing of procedures and controls surrounding cybersecurity preparedness.”2

Beginning in September 2015 and over roughly a one-year period, OCIE examined 75 regulated entities—broker-dealers (“BDs”), investment advisers (“IAs”) and investment companies (“funds”)—focusing on (1) governance and risk assessment, (2) access rights and controls, (3) data loss prevention, (4) vendor management, (5) training and (6) incident response.

OCIE reported the results of its cybersecurity initiative in a “risk alert,” which offers both observations of industry cybersecurity practices and recommendations for best practices that regulated entities may wish to consider implementing.

This Legal Update discusses what the OCIE Risk Alert reports on the maturation of cybersecurity defenses, notes regarding industry practices and recommends for regulated entities.

Continue reading.