On April 15, 2014 the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examination (“OCIE”) announced that it would assess the cybersecurity preparedness of the industry as a whole by examining the practices of 50 registered broker-dealers and investment advisers. OCIE will send tailored requests for information to each selected firm; the questions will focus on each entity’s cybersecurity governance, ability to identify and assess cyber risks, protect its networks, detect intrusions, and deal with the risks associated with relying on vendors and third parties. OCIE did not indicate when the examinations will begin, but did provide a sample request for information as part of its press release announcing the examinations.

The sample request for information was designed to be used by the securities industry as a whole, rather than merely the 50 examined firms. As OCIE stated, the purpose of the endeavor is to “empower compliance professionals in the industry with questions and tools they can use to assess their firms’ level of preparedness, regardless of whether they are included in OCIE’s examination.” Several of the questions in the sample were designed to track with the “Framework for Improving Critical Infrastructure Cybersecurity” that the National Institute of Standards and Technology (“NIST”) released on February 12, 2014. For more information on the NIST Cybersecurity Framework, please see our Cyber Alert on the topic. 

The sample request for information indicates that the SEC will seek, among other things, the following information: 

  • An inventory of the firm’s physical devices and systems, as well as its software platforms and applications;
  • A map of network resources, connections and data flows, including the location where customer information is stored;
  • The firm’s logging capabilities and practices;
  • Whether the firm conducts risk assessments and, if so, when the most recent assessment took place;
  • A list of the NIST, ISO or other standards the firm uses as a model for its information security architecture;
  • A copy of the firm’s policy on addressing losses from attacks or intrusions;
  • An explanation of the various practices the firm employs to detect unauthorized activity on its network and devices; and
  • Information regarding any network intrusions that have taken place since January 1, 2013. 

As OCIE stated, these examinations are meant to “help identify areas where the Commission and the industry can work together to protect investors and our capital markets from cybersecurity threats.” The sample request for information may also prove to be a useful tool for critical infrastructure companies, regardless of industry, that are seeking to assess their cybersecurity preparedness. As part of the NIST Cybersecurity Framework, critical infrastructure entities are asked to identify their current cybersecurity postures in an effort to identify gaps in those practices. Critical infrastructure companies, or independent third-party assessors, may rely on OCIE’s sample request for information in conducting such reviews.