On September 15, 2015, the Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert to announce the priorities for its second round of cybersecurity examinations. The examinations are part of the Cybersecurity Initiative announced by the OCIE on its April 15, 2014 risk alert.
This second round of examination is focused on assessing the implementation of firm procedures and controls, building on the foundation established by the first examination, which focused on collecting information about the industry’s recent experiences with certain types of cyber threats and understanding industry wide practices regarding cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties and detection of unauthorized activity.
The priorities for this round of examination include: Governance and Risk Assessment, Access Rights and Controls, Data Loss Prevention, Vendor Management, Training, Incident Response. The alert indicates that while these are the priorities, examiners may select additional areas based on risks identified during the course of the examinations and also to account for a particular firm’s business.
The alert includes a sample request for information to assist registered entities prepare for the examination. It is not intended to be an all-inclusive list but will aid firms in assessing their cybersecurity practices, policies and procedures.