The Office of Compliance Inspections and Examinations ("OCIE") of the U.S. Securities and Exchange Commission has issued a Risk Alert providing information on the areas of focus for OCIE's second round of cybersecurity examinations.
In April 2014, OCIE published a Risk Alert announcing a series of examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry. That was followed, in February 2015, with the publication of summary observations of the findings from those examinations. These discussed some of the legal, regulatory, and compliance issues associated with cybersecurity.
This latest Risk Alert, published September 15, 2015 is the next step in the development of the OCIE's assessment cybersecurity preparedness in the securities industry, including firms' ability to protect broker-dealer customer and investment advisor client information.
OCIE examiners will be focusing on six areas. These six areas of examination, and the questions which examiners intend to pursue, are as instructive for firms outside the securities industry as it is for registrants.
- Governance and Risk Assessment — Do registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below? Do they evaluate cybersecurity risks on an ongoing basis? Are controls and risk assessment processes tailored to their business? What is the level of involvement of senior management and boards of directors?
- Access Rights and Controls — Do and to what extent do firms employ technologies such as multifactor authentication? Do they update access rights to correspond to personnel and system changes? How do registrants control access to various systems and data via management of user credentials, authentication, and authorization methods? How do access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access contribute to creating or addressing cybersecurity risk?
- Data Loss Prevention — What are the controls in the areas of patch management and system configuration? How do firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads? How do firms monitor for potentially unauthorized data transfers and review how firms verify the authenticity of a customer request to transfer funds?
- Vendor Management — What firm practices and controls govern vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of cybersecurity in vendors? What contract terms apply? Are vendor relationships considered as part of the firm's ongoing risk assessment process? How do firms determine the appropriate level of due diligence to conduct on a vendor?
- Training — What employee cybersecurity training is provided and how is it tailored to specific job functions of given employees? Are procedures for responding to cyber incidents under an incident response plan or integrated into regular personnel and vendor training?
- Incident Response — Do firms have established policies and assigned roles? Have they assessed system vulnerabilities, and developed plans to address possible future events? Specifically, do firm's data, assets, and services warrant the most protection to help prevent
The Risk Alert is also instructive because it provides a sample list of information that OCIE examiners may review in pursuing their inquiries. These include not only formally articulated cybersecurity policies, but also documents relating to:
- Patch management practices;
- Cyber-related risk, response planning, and incident briefings to the Board;
- The firm's Chief Information Security Officer (“CISO”) or equivalent position,
- The firm's organizational structure, particularly information regarding the positions and departments responsible for cybersecurity-related matters;
- Periodic risk assessments;
- Penetration testing;
- Vulnerability scans;
- Access rights and controls;
- The implementation of access rights and controls;
- Access incidents;
- Device controls;
- Verification procedures in fund transfer requests;
- Data mapping, especially in respect of the identification of personal information;
- Exfiltration monitoring capabilities and policies;
- Vendor management policies, including due diligence, risk assessment and management tracking and access control;
- Business continuity plans and other mitigation plans;
- Incident response plan tests and exercises;
- Incident logs