On September 15, 2015, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert to provide additional information on the focus areas for OCIE’s second round of cybersecurity examinations of registered broker-dealers and investment advisers. The Risk Alert is the latest publication by the SEC staff concerning cybersecurity compliance and controls, which OCIE included among its 2015 examination priorities.
In April 2014, OCIE announced the first round of sweep examinations intended to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry. In February 2015, OCIE issued a Risk Alert providing summary observations derived from the first round of examinations, which included interviews with key personnel and evaluation of materials from 57 registered broker-dealers and 49 registered investment advisers relating to the firms’ practices for: identifying cybersecurity-related risks; establishing cybersecurity governance, including policies, procedures and oversight processes; identifying and responding to risks relating to service providers, vendors and other third parties; safeguarding network infrastructure and information; identifying and managing risks associated with remote access to client information and funds transfer requests; and uncovering unauthorized activity.
In the recently released Risk Alert, OCIE indicated that the second round of sweep examinations will involve more testing to assess implementation of firm procedures and controls. In this connection, OCIE identified several key focus areas, including:
- Governance and Risk Assessment: Examiners may assess whether firms: (i) have cybersecurity governance and risk assessment processes related to the other key areas of focus described below; (ii) are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business; and (iii) are involving senior management/ boards of directors and to what extent.
- Access Rights and Controls: Examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This review may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.
- Data Loss Prevention: Examiners may assess how firms: (i) monitor the volume of content transferred outside of the firm by their employees or through third parties (e.g., by email attachments or uploads); (ii) monitor for potentially unauthorized data transfers; and (iii) verify the authenticity of a customer request to transfer funds.
- Vendor Management: Examiners may assess: (i) firm practices and controls related to vendor management (e.g., due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms); (ii) how vendor relationships are considered as part of the firm’s ongoing risk assessment process; and (iii) how the firm determines the appropriate level of due diligence to conduct on a vendor.
- Training: Examiners may assess how: (i) training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior; and (ii) procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
- Incident Response: Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events (including determining which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm).
In connection with “OCIE’s efforts to promote compliance and to share with the industry where it sees cybersecurity-related risks,” OCIE included with the Risk Alert a sample request for information and documents to be used in the second round of sweep examinations. The Risk Alert, including the sample information request, is available at: http://www.sec.gov/ocie/announcement/ocie-2015-cybersecurityexamination-initiative.pdf.