The Securities and Exchange Commission (SEC) recently issued a Risk Alert detailing the findings of its latest round of cybersecurity examinations.
Based on examinations of 75 firms over a period of two years, the SEC identified both best practices and common issues. Training staff on the elements of cybersecurity was noted as a best practice, but actual implementation of the training was identified as an issue at a number of the examined firms.
Cyber-Preparedness Is on the Rise
The examination, which included broker-dealers, investment advisers and investment companies, found that cyber-preparedness had generally increased since the last round of examinations in 2014, with the majority of firms having policies, procedures, and processes focusing on cybersecurity as part of their risk programs.
The SEC identified the establishment of mandatory training in cybersecurity as one element of a ‘robust’ cybersecurity program. More specifically, it stated that the training should be mandatory for all employees, and should include both onboarding training and periodic refresher training thereafter.
On the other hand, the SEC noted that a failure to follow through on cyber-awareness and cybersecurity training programs constitutes a serious and common issue among the examined firms.
The report specifically noted that a number of firms required all employees to complete cybersecurity awareness training but failed to ensure that the training occurred and to take action against those employees who did not complete the required training. Not all companies are following up.
The SEC concludes its report by noting that cybersecurity remains one of the top compliance risks for financial firms, and that it will continue to conduct cybersecurity examinations on a regular basis in the future.
The Risk Alert can be accessed directly here.