OCIE

SEC Office of Compliance Inspections and Examinations Publishes Observations on Cybersecurity and Resiliency Practices

Posted on

 

On January 27, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued observations gleaned from its examinations related to cybersecurity and operational resiliency practices taken by market participants (the “Observations”). The Observations impact the entire securities industry because OCIE conducts examinations of SEC-registered investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, and others. It uses a risk-based approach to examinations to fulfill its mission to promote compliance with U.S. securities laws, prevent fraud, monitor risk, and inform SEC policy.

The Observations cover a broad range of operations in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. They highlight specific examples of cybersecurity and operational resiliency practices and controls that organizations have taken to safeguard against threats and respond in the event of an incident.

Organizations subject to examination by OCIE should expect that the primary elements highlighted will be a focus of routine, as well as targeted examinations. The Observations are best regarded as a set of “best practices” that should be considered by regulated organizations in developing, implementing and monitoring the effectiveness of their own compliance programs.

The following are selected excerpts from the Observations that we believe are the most significant. A complete copy of the Observations can be found here.

Governance and Risk Management

OCIE emphasized that effective compliance programs “start with the right tone at the top.” As a top priority of any examination, senior leaders should be committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks.

OCIE observes that a key element is the incorporation of a governance and risk management program that generally includes, among other things: (i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address those risks; and (iii) the effective implementation and enforcement of those policies and procedures.

Access Rights and Controls

OCIE observes that “access rights and controls” are used to identify and determine who are the appropriate users within an organization who should have access to organization systems based on job responsibilities. Access controls generally include: (i) understanding the location of data, including client information, throughout an organization; (ii) restricting access to systems and data to authorized users; and (iii) establishing appropriate controls to prevent and monitor for unauthorized access.

Data Loss Prevention

“Data loss prevention,” as conceived by OCIE, typically includes a set of tools and processes an organization uses to ensure that sensitive data, including client information, is not lost, misused, or accessed by unauthorized users.

Mobile Security

Mobile devices and applications may create additional and unique vulnerabilities. Examples of the mobile security measures OCIE has observed include the following elements: (i) establishing specific policies and procedures for the use of mobile devices, including managing the use of mobile devices., e.g., the compliance program addresses the special concerns that are presented when employees are permitted to use their own mobile devices in performing business functions; (ii) implementing security measures; (iii) training employees, including training employees on mobile device policies; and (iv) effective practices to protect mobile devices.

Incident Response and Resiliency

OCIE notes the importance of a compliance program including the following elements: (i) the timely detection and appropriate disclosure of material information regarding incidents; and (ii) assessing the appropriateness of corrective actions taken in response to incidents. OCIE emphasized that an important component of an incident response plan is a business continuity plan and resiliency plan that addresses how quickly the organization could recover and again safely serve clients if the operations of the organization were materially disrupted.

Vendor Management

OCIE found that practices and controls related to vendor management generally include policies and procedures related to: (i) conducting due diligence for vendor selection; (ii) monitoring and overseeing vendors, and contract terms; (iii) assessing how vendor relationships are considered as part of the organization’s ongoing risk assessment process as well as how the organization determines the appropriate level of due diligence to conduct on a vendor; and (iv) assessing how vendors protect any accessible client information.

Training and Awareness

Training and awareness are key components of cybersecurity programs. Training provides employees with information concerning cyber risks and responsibilities and heightens awareness of cyber threats.

OCIE has observed the following practices used by organizations in the area of cybersecurity training and awareness: (i) training staff to implement the organization’s cybersecurity policies and procedures and engaging the workforce to build a culture of cybersecurity readiness and operational resiliency; (ii) providing specific cybersecurity and resiliency training, including preventive measures in training, such as identifying and responding to indicators of breaches, and obtaining customer confirmation if behavior appears suspicious; (iii) monitoring to ensure employees attend training and assessing the effectiveness of training; and (iv) continuously re-evaluating and updating training programs based on cyber-threat intelligence.

OCIE Issues Alert Regarding Compliance Issues Related to Best Execution by Investment Advisers

Posted on

 

On July 11, 2018, the Office of Compliance Inspections and Examinations (“OCIE“) of the Securities and Exchange Commission issued a Risk Alert regarding the most frequent best execution issues cited in adviser exams “to provide investment advisers (“advisers“), investors and other market participants with information concerning many of the most common deficiencies that the staff has cited in recent examinations of advisers’ compliance with their best execution obligations under the Investment Advisers Act of 1940.”

The following is a summary list of the examples provided by OCIE of the most common deficiencies associated with advisers’ best execution obligations.

  • Not performing best execution reviews.
  • Not considering materially relevant factors during best execution reviews.
  • Not seeking comparisons from other broker-dealers.
  • Not fully disclosing best execution practices.
  • Not disclosing soft dollar arrangements.
  • Not properly administering mixed use allocations.
  • Inadequate policies and procedures relating to best execution.
  • Not following best execution policies and procedures.

According to OCIE, the examinations within the scope of this review resulted in a range of actions, including advisers electing to amend their disclosures regarding best execution or soft dollar arrangements, revising their compliance policies and procedures, or otherwise changing their practices regarding best execution or soft dollar arrangements. To read the full text, click here.

SEC Announces 2016 Examination Priorities

Posted on

On January 11, the SEC announced its Office of Compliance Inspections and Examinations’ (OCIE) 2016 priorities.  New areas of focus include liquidity controls, public pension advisers, product promotion, and two popular investment products – exchange-traded funds and variable annuities.  The priorities also reflect a continuing focus on protecting investors in ongoing risk areas such as cybersecurity, microcap fraud, fee selection, and reverse churning.

The 2016 examination priorities address issues across a variety of financial institutions, including investment advisers, investment companies, broker-dealers, transfer agents, clearing agencies, and national securities exchanges.  Areas of examination include:

  • Retail Investors –  OCIE will continue several 2015 initiatives to assess risks to retail investors seeking information, advice, products, and services to help them plan for and live in retirement. It also will undertake examinations to review exchange-traded funds (ETFs) and ETF trading practices, variable annuity recommendations and disclosure, and potential conflicts and risks involving advisers to public pension funds.
  • Market-Wide Risks –  OCIE will continue its focus on cybersecurity controls at broker-dealers and investment advisers.  New initiatives for 2016 include an evaluation of broker-dealers’ and investment advisers’ liquidity risk management practices, and firms’ compliance with the SEC’s Regulation SCI, designed to strengthen the technology infrastructure of the U.S. securities markets.
  • Data Analytics – OCIE’s enhanced ability to analyze large amounts of data will assist examiners’ ongoing initiatives to assess anti-money laundering compliance, detect microcap fraud, and review for excessive trading.  Data analytics also will help examinations focused on promotion of new, complex, and high-risk products.

The published priorities for 2016 are not exhaustive and may be adjusted in light of market conditions, industry developments and ongoing risk assessment activities.

The SEC’s Office of Compliance Inspections and Examinations (OCIE) Publishes Risk Alert On Addressing Cybersecurity Issues for Broker-Dealers and Investment Advisers

Posted on

On February 3, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert that contains observations based on examinations of more than 100 broker-dealers and investment advisers.  The examinations focused on how these firms:

  • Identify cybersecurity risks
  • Establish cybersecurity policies, procedures, and oversight processes
  • Protect their networks and information
  • Identify and address risks associated with remote access to client information, funds transfer requests, and third-party vendors
  • Detect unauthorized activity

A second publication, an Investor Bulletin issued by the SEC’s Office of Investor Education and Advocacy (OIEA), provides core tips to help investors safeguard their online investment accounts, including:

  • Pick a “strong” password
  • Use two-step verification
  • Exercise caution when using public networks and wireless connections

Risk AlertInvestor BulletinPress Release.

Priorities Focus on Protecting Retail Investors, Assessing Market-Wide Risks and Using Data Analytics

Posted on

On January 13, the Securities and Exchange Commission announced its Office of Compliance Inspections and Examinations’ (OCIE) priorities for 2015 which focus on three areas: protecting retail investors, especially those saving for or in retirement; assessing market-wide risks; and using data analytics to identify signs of potential illegal activity.

The 2015 examination priorities address issues across a variety of financial institutions, including investment advisers, investment companies, broker-dealers, transfer agents, clearing agencies, and national securities exchanges. Of particular interest are the following areas of examination:

Retail Investors – Retail investors are being offered products and services that were formerly characterized as alternative or institutional, including private funds, illiquid investments, and structured products. Additionally, financial services firms are offering a broad array of information, advice, products, and services to help retail investors plan for and live in retirement.

Market-Wide Risks – OCIE will examine for structural risks and trends that involve multiple firms or entire industries, including: monitoring large broker-dealers and asset managers in coordination with the SEC’s policy divisions, conducting annual examinations of clearing agencies as required by the Dodd-Frank Act, assessing cybersecurity controls across a range of industry participants, and examining broker-dealers’ compliance with best execution duties in routing equity order flow.

Data Analytics – OCIE will use its enhanced analytic capabilities to focus on registrants and registered representatives that appear to be potentially engaged in illegal activity.  Press ReleaseFull Report.

SEC Publishes Risk Alert and FAQs Reminding Broker-Dealers of their Obligations In Unregistered Transactions

Posted on

On October 9, the SEC announced publication of a Risk Alert and FAQs to remind broker-dealers of their obligations when they engage in unregistered transactions on behalf of their customers. The publication of the staff guidance was accompanied by the announcement of an enforcement action against two firms for improperly selling billions of shares of penny stocks through such unregistered offerings. The Risk Alert summarizes deficiencies that were discovered by the SEC’s Office of Compliance Inspections and Examinations (OCIE) during a targeted sweep of 22 broker-dealers frequently involved in the sale of microcap securities. Announcement. Risk Alert.

SEC OCIE Letter on National Exam Program Initiative

Posted on

On October 9, the SEC’s Office of Compliance Inspections and Examinations (OCIE) sent letters of introduction addressed to the Senior Executives of newly-registered advisers to private funds as part of their nationwide outreach announcing a new initiative under the National Exam Program, in which OCIE will be conducting “focused, risk-based examinations of advisers to private funds.” 

Under this initiative, the exam staff will review one or more high-risk areas of a private fund adviser, which could include marketing materials, conflicts of interest in the portfolio management process, such as investment and trade allocations, safety of client assets in the context of the Advisers Act custody rule, and valuation policies and procedures, especially with regard to illiquid or difficult to value instruments.  As with all OCIE exams, the outcome of the exam could include no findings, an “examination summary letter” of compliance deficiencies, or a referral to the SEC’s Division of Enforcement or another regulator, such as FINRA or a state.  SEC OCIE Letter.

OCIE Issues National Exam Program Overview

Posted on

On March 13, the Office of Compliance Inspections and Examinations (OCIE) of the SEC issued a National Exam Program Overview setting forth OCIE’s examination results for 2011 as well as detailing the strategic areas upon which the OCIE will focus its 2012 examination efforts for investment companies, investment advisers, broker-dealers, self-regulatory organizations, credit rating agencies, clearance and settlement programs, and coordination with other regulators.  National Exam Program Overview.