This week the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced a second-round of cybersecurity examinations, continuing its initiatives on the issue. The move follows the SEC’s: March 2014 roundtable of regulators and industry representatives; April 2014 Risk Alert announcing a sweep exam to identify risks and issues; and February 2015 summary observations from that sweep.
In this second round of exams, OCIE will engage in more testing directed at firms’ implementation of key controls and procedures, especially:
- Governance & Risk Assessment, requiring current, tailored processes with senior management (including CISO positions) and board involvement.
- Access Rights & Controls, across, within and without the enterprise and including credentialing, access tracking, BOYD (bring your own device) issues.
- Data Loss Prevention, including patch management, system configuration, and outbound communications, with special emphasis on personally-identifiable information.
- Vendor Management, implementing due-diligence of, and downstream compliance controls over, third-party providers.
- Training of employees and vendors.
- Incident Response Plans and data protection priorities.
The announcement also includes a list of sample exam inquiries.
The Securities Industry and Financial Markets Association (“SIFMA”) offers business continuity services to the industry, including cybersecurity webinars and table-top exercises for small firms, cybersecurity insurance programs and the industry-wide periodic “Quantum Dawn” exercises simulating a street-wide cyber-attack. Those resources are described here:http://www.sifma.org/services/bcp/business-continuity-planning/
OCIE’s September 15 announcement is here:http://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf