SEC Exam Priorities – Cybersecurity

posted in: Alert!, SEC Examinations | 0
As part of its 2015 exam priorities, the Office of Compliance Inspections and Examinations (OCIE) cited their continued focus on cybersecurity issues. If you remember back, in April of 2014 OCIE issued a Risk Alert detailing its initiative to assess cybersecurity preparedness.  OCIE’s cybersecurity initiative was designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats. In light of OCIE’s 2015 exam priorities, I thought it best to review the contents of that earlier Risk Alert.
The Risk Alert announced OCIE’s intention to conduct cybersecurity-focused examinations of more than 50 registered broker-dealers and investment advisers. More importantly, the Risk Alert includes a sample cybersecurity document request that advisers can use to assess their cybersecurity preparedness.
The examinations will focus on the the following:
  • The entity’s cybersecurity governance, identification and assessment of cybersecurity risks;
  • The entity’s protection of networks and information;
  • Risks associated with remote customer access and funds transfer requests;
  • Risks associated with vendors and other third parties;
  • Detection of unauthorized activity; and
  • Experiences with certain cybersecurity threats.

Sample Document Request

As mentioned above, the Risk Alert includes a sample cybersecurity document request. The SEC wants advisers to use this list of questions to assess their firms’ cybersecurity compliance. The document request is broken down into the categories along the lines of the examination focus areas listed above.
The Risk Alert also contains the following disclaimer (warning? advice?):

This Risk Alert is intended to highlight for firms risks and issues that the staff has identified. In addition, this Risk Alert describes factors that firms may consider to (i) assess their supervisory, compliance and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. These factors are not exhaustive, nor will they constitute a safe harbor. Other factors besides those described in this Risk Alert may be appropriate to consider, and some of the factors may not be applicable to a particular firm’s business. While some of the factors discussed in this Risk Alert reflect existing regulatory requirements, they are not intended to alter such requirements. Moreover, future changes in laws or regulations may supersede some of the factors or issues raised here. The adequacy of supervisory, compliance, and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.

It is suggested that all investment advisers use the document request to assess their cybersecurity status. Of course, not everything that is addressed will apply to all firms as the document is clearly geared toward the biggest firms. For example, I do not know many smaller firms that have a dedicated Chief Information Security Office. Still, since the SEC is telling you exactly what they are going to ask when they come in to do their exam, it is best that you go through the list of questions in its entirety and see where your firm falls short. After all, it is not often the SEC tells you exactly what they are going to be looking for during an examination.
To view the Risk Alert (including the sample document request) in its entirely, please click on the following link: