Consistent with prior guidance issued by the SEC, the Alert specifically highlighted the importance of: (1) conducting cyber-risk assessments of critical systems; (2) conducting penetration tests and vulnerability scans of critical systems; and (3) performing regular patch management and system maintenance. The importance of these best practices in meeting SEC requirements for firms to prevent, detect, and respond to cybersecurity threats was previously highlighted by the SEC in the Division of Investment Management’s IM Guidance Update: Cybersecurity Guidance (April 2015) as well as in OCIE’s National Exam Program Risk Alert, OCIE’s 2014 Cybersecurity Initiative (April 15, 2014).
In highlighting these best practices, OCIE also reiterated findings from its 2014 Cybersecurity Initiative, specifically noting that investment advisers and investment funds performed notably worse as a group than broker-dealers. This may indicate a continued belief by OCIE that investment management firms and funds continue to lag behind broker-dealers in implementing basic cybersecurity best practices.
The Alert additionally highlighted a new recommended best practice, noting that it is important for firms to develop rapid response capabilities as part of appropriate advance planning to address cybersecurity issues. This may indicate that OCIE is placing an increased emphasis in exams on the ability of firms to quickly respond to evolving cybersecurity threats with appropriate preventative measures.
OCIE’s repeated emphasis on certain cybersecurity best practices further demonstrates that financial services regulators are increasingly defining and articulating a core set of minimum standards that regulated entities will be expected to meet in practice in order to comply with the data protection requirements of applicable financial services law and regulation. Illustrating this emerging development, it is noteworthy that the best practices identified by OCIE in the Alert overlap with, and are broadly consistent with, the minimum standards established by the New York State Department of Financial Services in its recent cybersecurity regulation. Financial services firms are encouraged to be aware of this emerging standard and consider taking steps to ensure that their cybersecurity practices are consistent with regulatory expectations.