SEC Exam Program Doubles Up Focus on Cybersecurity

The Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) has issued an additional Risk Alert regarding the Targeted Industry Reviews and Examinations Initiative for the second round of cybersecurity examinations.

This current initiative follows the (i) SEC sponsored Cybersecurity Roundtable where SEC Commissioners and staff, along with industry representatives, underscored the importance of cybersecurity in March 2014; (ii)  the Risk Alert , published by OCIE in April 2014, announcing a series of examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry; (iii) including cybersecurity compliance and controls as part of its 2015 Examination Priorities; and (iv) the publication by OCIE of a summary observations of the findings from these examinations in February 2015.

With this chain of events, it is clear that the SEC has targeted cybersecurity as a real threat, and set it high on its list of priorities.

The current Cybersecurity Examination Initiative is designed to build on OCIE’s previous examinations in this area and further assess cybersecurity preparedness in the securities industry, including firms’ ability to protect broker-dealer customer and investment adviser client’s information. The initiative will involve more testing to assess implementation of firm procedures and controls for both broker-dealers and investment advisory firms. It is anticipated that OCIE staff will continue their focus on cybersecurity by conducting examinations that are directed on  key topics, including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. With respect to those key topics, the following provides an overview of what examiners will be looking at.

  • Governance and risk assessment.   Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed, including patch management, determine  whether firms are periodically evaluating cybersecurity risks, whether their controls and risk assessment processes are tailored to their business and  they may review the level of communication to,  and involvement of, senior management and boards of directors.
  • Access Rights and Controls.  Firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes.   Examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.
  • Data Loss Prevention.  Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads and they may also assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.
  • Vendor Management.   As some of the largest data breaches over the last few years may have resulted from the hacking of third party vendor platforms, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms. Examiners may also assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.
  • Training.  Without proper training, employees and vendors may put a firm’s data at risk.  With proper training, however, employees and vendors can be the firm’s first line of defense, such as by alerting firm IT professionals to suspicious activity and understanding and following firm protocols with respect to technology.  Therefore, examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior and they may review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
  • Incident Response.  Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. To address this, examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. This would include determining which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm.

While these SEC noted  those areas that would be the primary focus areas for the Cybersecurity Examination Initiative, they noted that examiners may select additional areas based on risks identified during the course of the examinations.   OCIE also noted that they believed that by sharing the key focus areas for the Cybersecurity Examination Initiative and providing a sample information and document request, it would encourage registered broker-dealers and investment advisers to reflect upon their own practices, policies, and procedures with respect to cybersecurity.

With that said, broker-dealers and investment advisors should review the document request and consider taking another look  at their cybersecurity procedures to (i) assess their supervisory, compliance and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems in light of document request and the focus areas discussed.