In a recent SEC “risk alert” for registered broker-dealers and investment advisers, the SEC’s Office of Compliance Inspections and Examinations (OCIE) listed the factors that OCIE will be applying when the staff conducts a second round of examinations of registrants’ readiness for cybersecurity attacks.
During the first round of examinations conducted earlier this year, OCIE found that a significant number of registrants had experienced a cyberattack. Most of those registrants had written policies and procedures to handle and prevent such occurrences but, in many cases, those policies and procedures were not always effective. Based on the findings from the first round of examinations, OCIE determined it necessary to conduct a second round but to first alert the industry about what the staff expects in terms of adequate policies and procedures.
OCIE’s alert includes the factors that the staff will be closely reviewing which include; the registrant’s cybersecurity risk assessment, the involvement of senior management and board of directors, and the safeguards employed to control access to their systems.
An emphasis during the examination is how the registrant selects and monitors vendors so that private information is kept secure. According to OCIE, the vendor selection process should include a thorough review of the safeguards and systems employed by the vendor and ongoing monitoring by the registrant to ensure that the vendor is carrying out its safeguards and systems.
Clearly, OCIE expects each registrant to have clear written policies and procedures addressing cybersecurity, an assignment of roles among key personnel, and an ongoing assessment program to determine areas susceptible to cybersecurity attacks.
To assist registrants, OCIE’s alert included a sample request listing the information and questions likely to be requested and asked by the OCIE examiners while conducting the cybersecurity exam.