On April 15, 2014, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert concerning upcoming cybersecurity preparedness examinations within the securities industry. Following on the heels of the 2014 Cybersecurity Roundtable and the announcement of “Technology” as one of the significant 2014 Examination Priorities, OCIE will be conducting examinations of more than 50 registered broker-dealers and investment advisers, focusing in particular on:
- cybersecurity governance;
- identification and assessment of cybersecurity risks;
- protection of firm networks and information;
- risks associated with remote customer access and funds transfer requests;
- risks associated with vendors and other third parties;
- detection of unauthorized activity; and
- experiences with certain cybersecurity threats.
The Risk Alert includes a sample document request that OCIE may use in conducting examinations of registered entities regarding cybersecurity matters. Although OCIE reserved its right to request additional information, the sample request consists of 28 detailed questions in the above-mentioned areas. Some of the principal subjects covered by the information request include the specific elements of the firm’s cybersecurity program, the security measures used in connection with providing customers with on-line account access, the cybersecurity risk assessments conducted by the firm with regard to vendors and business partners with access to the firm’s networks, customer data, or other sensitive information, or due to the cybersecurity risk of the outsourced function, and a description of the firm’s recent experience with any of the seven types of cybersecurity “events” described in the information request.