Background and Purposes
On April 15, 2014, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a “Risk Alert” explaining a new initiative to assess cybersecurity preparedness in the securities industry. Although not an official rule, regulation or statement of the SEC, the Risk Alert advised that OCIE will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, regarding their cybersecurity and data security procedures and policies.
OCIE’s cybersecurity initiative is designed to obtain information about the industry’s recent experiences with certain types of cyber threats. The examinations will focus on the following topics: the firm’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain specific cybersecurity threats.
Questions Registered Entities May be Asked
As an appendix to the Risk Alert document it released this week, OCIE included a sample list of requests for information that OCIE may use to assess registered firm’s preparedness to deal with cybersecurity threats. A primary area of OCIE inquiry is the firm’s internal policies and procedures for data preservation and cybersecurity. For example, one sample question asks the firm to identify the last time it completed certain cybersecurity precautions, such as: preparing a firm-wide inventory of physical devices and systems; mapping network resources, connections and data flows; and cataloguing connections to the firm’s network from external sources. Another asks the firm whether it maintains data breach/cybersecurity insurance, and if so, the firm is asked to describe the nature of the coverage and whether the firm has filed any claims against the policy. The OCIE also asks if the firm maintains written data destruction policies or cybersecurity incident response policies, and if so, the firm is asked to provide copies of the policies and identify the date they were last updated.