SEC ISSUES CYBER REPORT CARD: Financial firms are more prepared, but need to improve policies and plans.

Author:Salierno, D.

The U.S. Securities and Exchange Commission (SEC) has offered a mixed report on the status of cybersecurity practices in the financial services industry. Detailing its survey of 75 regulated entities, the SEC Office of Compliance Inspections and Examinations (OCIE) National Exam Program Risk Alert provides observations of both improvements and problems.

Since its last survey, published in 2016, the OCIE points to an overall improvement in surveyed firms' awareness of cyber risks, as well as their implementation of certain cybersecurity practices. The office cites nearly all firms' maintenance of written cybersecurity policies and procedures aimed at protecting customer and shareholder data, and it notes that most firms conducted periodic risk assessments of critical systems to identify cybersecurity threats. All surveyed organizations used some kind of tool to prevent, detect, and monitor for data loss related to personally identifiable information.

Among areas for improvement, the OCIE cites many firms' use of only general guidance in their cybersecurity policies and procedures, with limited examples of safeguards for employees...

To continue reading