On Sept. 15, 2015, the Securities Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) published its second cybersecurity risk alert (the “2015 Risk Alert”). The 2015 Risk Alert is a follow up to the OCIE’s April 2014 cybersecurity initiative risk alert (the “2014 Risk Alert”) announcing a series of examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry. The 2015 Risk Alert puts broker-dealers (BDs) and investment advisors (IAs) on notice that OCIE will seek additional information and expand its area of focus in this second round of cybersecurity examinations.

 The NIST Framework

The 2014 Risk Alert provided a broad list of documents that OCIE may request for its cybersecurity examinations. Much of the 2014 Risk Alert tracked information from the Framework for Improving Critical Infrastructure Cybersecurity released on Feb. 12, 2014, by the National Institute of Standards and Technology (the “NIST Framework”). The NIST Framework is organized around five core cybersecurity functions: Identify, Protect, Detect, Respond and Recover. The 2014 Risk Alert promotes the NIST Framework and encourages BDs and IAs to incorporate the NIST Framework in their cybersecurity policies and procedures. These are the 2014 Risk Alert focus areas:

  • Identification of Risks/Cybersecurity Governance
  • Protection of Firm Networks and Information
  • Data Loss Prevention
  • Risks Associated With Remote Customer Access and Funds Transfer Requests
  • Risks Associated With Vendors and Other Third Parties
  • Detection of Unauthorized Activity

Results from the First Round

In February 2015, the OCIE reported in its Cybersecurity Examination Sweep Summary that 93 percent of BDs and 83 percent of IAs have adopted written information security policies and 88 percent of BDs and 53 percent of IAs used external standards, such as the NIST Framework. Given that the 2014 Risk Alert addressed the Identify, Protect, Detect core functions of the NIST Framework and compliance rates left room for improvement, firms should not be surprised that the 2015 Risk Alert will seek additional information on the Identify, Protect and Detect functions and expand its area of focus to the Respond and Recover functions. The 2015 Risk Alert focus areas are:

  • Governance and Risk Assessment
  • Access Rights and Controls
  • Data Loss Prevention
  • Vendor Management:
  • Training
  • Incident Response

Getting Ready for Round Two

The 2014 Risk Alert includes an appendix with sample list of information that OCIE may review in conducting examinations regarding cybersecurity matters. To prepare for the OCIE’s next round of cybersecurity examinations, BDs and IAs should review the 2014 Risk Alert, assess their response to a second document request, gather information on the basic cybersecurity controls outlined in the NIST Framework and, to the extent necessary, adopt written policies and procedures for data privacy and information security training. Cybersecurity training materials should be tailored for specific job functions (e.g., front office, operations, and compliance and risk functions) and designed to encourage good cyber hygiene. Furthermore, BDs and IAs should establish policies and procedures for responding to cyber incidents with a detailed response plan. Cyber incident response plans should assign specific roles to each function, assess system vulnerabilities and include business continuity plans. Firms should also expect the OCIE to request other information regarding cybersecurity preparedness, including participation in information-sharing networks, such as the Financial Services Information Sharing and Analysis Center.