OCIE Compliance (OCIE-C)

Illumant offers cybersecurity services to help financial institutions efficiently and effectively meet the cybersecurity requirements of the SEC and OCIE, and to protect sensitive customer and organizational information and assets, including:


  • Top-down security risk assessments
  • External and internal penetration testing and vulnerability assessment
  • Policies, procedures and practices development and gap analysis
  • Security awareness training
  • Vulnerability remediation services
  • And more

The OCIE is pressuring registered investment advisors and broker-dealers to improve their cybersecurity measures. Illumant’s services help to meet those goals.


Background

In April of 2015, the SEC issued guidance (https://www.sec.gov/investment/im-guidance-2015-02.pdf) to investment funds and advisers on protection of confidential and sensitive information.


The Office of Compliance Inspections and Examinations (OCIE) was subsequently tasked by the SEC with assessing industry practices, and legal and compliance issues associated with cybersecurity. And despite current political trends that favor reduction in compliance, OCIE examinations are set to rise (https://www.financial-planning.com/slideshow/sec-ocie-exams-to-rise-despite-lower-budget).


According to the OCIE’s examination priorities for 2017 : "In 2017, we will continue our initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls." (https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdft)


In August, the OCIE released a risk alert (https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf) with observations from examinations performed as part of its most recent "Cybersecurity 2 Initiative" (https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf).


In brief, the issues resulting from OCIE's examinations are as follows:

  • Nearly all firms have written security policies and procedures addressing cyber-security. Still, a majority have these issues:
    • Policies and procedures are narrowly scoped, vague, confusing and not prescriptive
    • Firms do not enforce policies and procedures, and cybersecurity practices diverge
    • Annual customer protection reviews are required but performed less frequently
    • Reviews of opportunities to add supplemental security protocols happen infrequently or not at all
    • Policies and procedures are self-contradictory and confusing to employees
    • Security awareness training is either non-existent or tracked to completion
    • Risk assessment are stale
    • Operating systems that are no longer supported by security patches are still in use
    • High-risk findings from penetration tests or vulnerability scans have not been fully remediated in a timely manner

Illumant's services and help investment advisors and broker-dealers build a robust and compliant security program that addresses the issues called out by the OCIE Furthermore, Illumant’s services help financial institutions meet individual state cybersecurity requirements (e.g. New York State's Cybersecurity Requirements for Financial Services Companies: http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf)


Why do you need Illumant's OCIE-C Service?

The SEC has issued guidance for cybersecurity programs for investment advisers and broker-dealers. The OCIE has undertaken cybersecurity examination on the SEC's behalf. OCIE examinations are increasing, and penalties have been issued for not protecting customer data properly (https://www.sec.gov/news/pressrelease/2015-202.html).


Educate Officers/Stakeholders, Share Accountability, Drive Security Initiatives

Our OCIE-C service includes interviews with stakeholders to assess compliance as well as to educate and inform about compliance requirements, which increases cross-departmental responsibility and accountability, and helps drive security initiatives. You control who should be involved in the interview process.


Illumant Reduces the Burden and Minimizes the Confusion of Compliance

Illumant's OCIE-C service leverages our expertise and resources to shift much of the burden of compliance away from you, to distribute responsibility for compliance to appropriate personnel, and to add clarity and education to the process – what needs to be meet the standards, and what needs to be remediated to achieve compliance, avoid penalties, and of course, avoid breaches.


Highlights

  • Interviews with stakeholders, education
  • Inspection and observation-based process
  • Assessment of current security measures
  • Assessment of compliance with OCIE / SEC Requirements
  • Review of policies and procedures
  • Perimeter Security Assessment
  • Physical Security Assessment
  • Internal Security Assessments
  • Social Engineering
  • Security Awareness Training
  • Actionable remediation activities
  • Optional OCIE / SEC-compliant security program development
  • Documentation of results, evidence
  • Final reports – executive and technical

Targets

  • Customer Information
  • SEC Cybersecurity Guidance
  • OCIE Cybersecurity Examinations
  • Administrative, technical, physical controls
  • Policies and procedures
  • Security Awareness Training
  • Incident Response
  • Business Continuity
  • Access Control, Identification, Authentication
  • Configuration Management, System and Communications Protection
  • Media Protection
  • Physical Protection
  • Personnel Protection
  • Mobile Devices and Wireless networks

security risk analysis required addressable administrative technical physical safeguards security measures policies procedures vulnerability assessment penetration testing social engineering breach notification

electronic records applications servers routers firewalls physical security awareness data centers server rooms telco closets workstations

OCIE Cybersecurity Examinations OCIE Security Policy best practices