On April 15, 2014 the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a National Exam Program Risk Alert entitled OCIE Cybersecurity Initiative (the “Risk Alert”) announcing its plans to conduct examinations of more than 50 registered broker-dealers and investment advisers focused on cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.
Although the Risk Alert does not specify, it can be expected that the sample of firms to be examined will be selected to gather information about how firms of different sizes and levels of complexity are addressing cybersecurity risks. Accordingly, registered broker-dealers and investment advisers should review the Risk Alert carefully and prepare for dealing with a potential examination by OCIE of their cybersecurity protocols, policies and defenses.
The Risk Alert includes a sample information and document request list that describes the various categories of detailed information that OCIE will potentially be seeking through its examinations. This disclosure by OCIE is intended to provide compliance professionals in the securities industry with questions and tools they can use to assess their firms’ level of preparedness. The sample information and document request list also can be used by a firm’s compliance department as a guide to track the firm’s cyber infrastructure, assess the firm’s cybersecurity risks and document, implement and monitor policies and procedures regarding identification, documentation, prioritization and mitigation of cyber risks. The sample request list suggests that all financial firms should, among various other measures:
- use an established framework to address cybersecurity;
- have written policies and procedures in place to manage information security assets, networks and information;
- conduct periodic risk assessments to identify physical cybersecurity threats and vulnerabilities;
- identify persons responsible for overseeing cybersecurity risks;
- implement a cybersecurity incident response policy; and
- maintain insurance that specifically covers losses and expenses attributable to cybersecurity incidents.
OCIE hopes that these examinations will identify areas where the SEC and the securities industry can work together to protect investors and capital markets from cybersecurity threats. Registered broker-dealers and investment advisers should review the information and document requests included in the Risk Alert and evaluate their existing cybersecurity policies and procedures. Financial firms should also prepare for OCIE’s greater scrutiny of their cybersecurity policies and procedures.