The U.S. Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert last week on managing cybersecurity risks.1 The SEC is very serious about compliance with cybersecurity standards. The Commission recently hosted a Cybersecurity Roundtable to gather information from technology experts, registered entities and other interested parties on best practices for managing cyber-threats. Less than a month after the Roundtable, OCIE has released this Risk Alert.
OCIE announced that it will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers focusing on areas related to cybersecurity preparedness. The examinations will cover, among other areas, the governance process for managing cyber-risks, detection and assessment of cyber-risks, controls for managing identified risks, remote customer access to a registered entity's systems, and service provider relationships. To facilitate a registered entity's preparedness for the upcoming examination, OCIE has provided a sample document request, which provides information that can be used to assess a firm's level of cyber-preparedness.
Since data breaches are daily occurrences, registered entities would be wise to commence a cyber-review as soon as possible. Since corporate America is amply on notice about cyber-threats, OCIE is not likely to go easy on entities that are not prepared. For example, in the Risk Alert, OCIE asked whether a firm has updated supervisory procedures to reflect the Identity Theft Red Flag Rules that became effective over a year ago.2 If a firm has not done so, OCIE seeks a full explanation for the delinquency.
For more information about the Risk Alert or how to design a cybersecurity compliance program, please contact any of the individuals listed above or Jim Bowers, our director, Compliance Risk Services, who can be reached at (860) 275 0339 or email@example.com. Mr. Bowers has written extensively about cyber-threats and the National Institute of Standards and Technology's development of a cybersecurity framework (referenced in the Risk Alert). For more information on this topic, see his article "Mitigating Data Breach Liability: In Search of a Best Practice."