On September 15, 2015, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert discussing its cybersecurity examination initiatives and areas of focus. These initiatives were developed in large part from a series of examinations conducted in 2014 to identify cybersecurity risks and evaluate the preparedness of firms in the securities industry. In the Risk Alert, OCIE provides investment advisers and broker-dealers a detailed list of the areas of concern with respect to cybersecurity that it will focus on during examinations. These concerns suggest that advisers and broker-dealers must carefully evaluate and document their cybersecurity policies, procedures and actions in order to maintain compliance with SEC and OCIE standards.
Areas of Focus
When conducting examinations, OCIE will evaluate cybersecurity in a number of operational areas, including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response. Examinees may be required to describe the frequency and scope of their evaluations of cybersecurity risks, and OCIE may request information on controls intended to prevent unauthorized access to data or software, as well as the methods used to monitor the channels and volume of data transfers. For instance, examinees may be expected to employ multifactor authentication systems.
Likewise, OCIE will focus on procedures and controls examinees use with respect to vendors. Particular areas of concern include due diligence in vendor selection, monitoring of vendor activity and appropriate contract provisions. Examinees may also need to demonstrate how vendors and employees are trained on cybersecurity policies and incident response procedures.
Document and Information Requests
The Risk Alert also contains a sample document request to illustrate the types of information that may be sought during an examination. For instance, an examinee may need to provide OCIE with its policies and procedures related to the protection of customer and client data, information on its employees and departments responsible for cybersecurity matters and the findings from any data security testing or vulnerability scans.
Several of the potential information requests suggest that OCIE expects advisers and broker-dealers to demonstrate detailed record-keeping procedures. For example, the sample list includes “documentation evidencing the tracking of employee access rights” and changes to those rights, as well as information on employees who are reassigned “to a new group or function, including their date of reassignment and the date their access to the firm’s systems was modified.” Examinees may also be required to demonstrate how data is classified with respect to sensitivity or the risk associated with unauthorized access of that data. Finally, OCIE may request documentation of procedures relating to continuity of operations in the event of a cybersecurity breach, as well as the amount of any actual customer losses associated with cybersecurity incidents.
OCIE is not alone in its increased focus on cybersecurity—the SEC’s Division of Enforcement has shown concern in this area as well, particularly in actions against broker-dealers or investment advisers who suffer cybersecurity breaches. For instance, the SEC recently determined that an investment adviser failed to establish written cybersecurity policies prior to a July 2013 breach that resulted in the compromise of personally identifiable information of approximately 100,000 individuals. According to the SEC, the firm’s deficiencies included a failure to conduct periodic risk assessments or maintain a response plan for cybersecurity events. Although the adviser received no indications that clients were financially harmed as a result of the attack, it agreed to pay a $75,000 penalty as part of its settlement with the SEC.
The Risk Alert can be found at http://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.
Myrna H. Rooks