On September 15, 2015, the Office of Compliance Inspections and Examination (OCIE) of the Securities and Exchange Commission (SEC) published a Risk Alert to provide additional information on the focus areas for its second round of cybersecurity exams. While the SEC’s oversight with respect to its cybersecurity exam initiative only extends to broker-dealers, investment advisers, and transfer agents, its attention to, and actions taken to address, data security and privacy concerns signifies the tremendous importance of data security and privacy in the broader economy. The OCIE cybersecurity exams are a part of the SEC’s Cybersecurity Initiative, a broad effort by the SEC to identify risks, assess preparedness, and increase protection of electronic data within the securities industry.
The OCIE announced that its second round of examinations will focus on the following areas:
Governance and Risk Assessment
OCIE examiners may assess the cybersecurity governance and risk assessment processes as they relate to the announced focus areas, whether firms are periodically evaluating cybersecurity risks, and whether their controls and risk assessment processes are tailored to their business. The examiners may also review the level of communication and involvement of senior management and boards of directors.
Access Rights and Controls
To determine how firms control access to various systems and data through their management of user credentials, authentication, and authorization methods, examiners may review controls associated with remote access, customer logins, passwords, firm protocols to address login issues, network segmentation, and tiered access.
Data Loss Prevention
Exams may include assessments of how firms monitor the volume of content transferred outside of the firm by employees or through third parties, e.g. email attachments or uploads, and how firms monitor for potentially unauthorized data transfers. Examiners may also review how firms verify the authenticity of customer requests to transfer funds.
Examiners may focus on firm practices and controls related to vendor management, such as due diligence in vendor selection, monitoring and oversight of vendors, and contract terms, and assess how vendor relationships are considered within the firm’s ongoing risk assessment process. Examiners may also assess how firms determine the appropriate level of due diligence to conduct on vendors.
Recognizing that employees and vendors can be the first line of defense, exams may focus on how training is tailored to specific job functions and how it is designed to encourage responsible behavior. Further, examiners may review how cyber-incident response plan procedures are integrated into the regular personnel and vendor training.
Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. As part of this assessment, examiners may assess which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm.
The OCIE has indicated that while the foregoing areas are the primary focus of the exams, examiners may select additional areas based on risks identified during the course of examinations.
Broker-dealers, investment advisers and transfer agents should review their current policies and procedures as they relate to the SEC’s guidance and consider what additional steps they may need to take to ensure compliance with SEC rules and protection of customer information. Entities not directly affected by the alert, or SEC oversight, should take this opportunity to review how their own industries regulate cybersecurity and how they are impacted by data security and privacy concerns.