The SEC’s Office of Compliance Inspections and Examinations (OCIE), which is responsible for conducting inspections and examinations of investment advisers, issued a Risk Alert last week discussing its upcoming planned sweep exams that will assess broker-dealer and investment adviser cyber-security readiness. This is not a surprise given that the SEC has made cybersecurity preparedness one of its focuses for 2014. The SEC’s Risk Alert outlines steps that it expects registered broker-dealers and investment advisers to take to safeguard their data and network infrastructure.

As part of the Risk Alert, the SEC included a list of 28 questions that it intends to ask over 50 registered broker-dealers and investment advisers over the coming months. A full copy of the SEC Risk Alert can be found here.

The SEC is focusing its inquiries on the following areas:

  1. Cybersecurity governance
  2. Identification and assessment of cybersecurity risks
  3. Protection of firm networks and information
  4. Remote customer-access risks
  5. Vendor and other third-party risks
  6. Detection of unauthorized access

What Investment Advisers and Broker-Dealers Should Do Next

While the steps outlined by the SEC are not mandatory, its increased focus on cybersecurity is likely to lead to more enforcement actions in the future. Investment advisers and broker-dealers should keep in mind that the SEC has imposed significant sanctions against firms when it has discovered deficient cybersecurity policies and procedures. Investment advisers and broker-dealers should affirmatively set forth policies in response to the OCIE model questions or be prepared to provide a rationale for not having such policies in place.