As the Securities and Exchange Commission (SEC) continues to focus on cybersecurity compliance as part of its 2015 Examination Priorities1, the SEC Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert on September 15, 20152, to help prepare registered investment advisers and broker-dealers for an upcoming second round of cybersecurity examinations.
In April 2014, OCIE announced its first series of cybersecurity exams that were intended to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry.3 Almost a year later, in February 2015, OCIE published a summary of its observations and findings that discussed some of the legal, regulatory and compliance issues associated with cybersecurity.4 As discussed in a recent update we published,5 the SEC provided a three-step approach for firms to consider when analyzing cybersecurity risks and potential preventative measures. Due to the positive response received from registered investment advisers and brokers-dealers, OCIE issued the new Risk Alert to provide additional information as to the next round of examinations that will focus on gathering information on cybersecurity-related controls, as well as testing the implementation of such controls.
The Risk Alert highlighted the following six areas and the attendant risks and issues that should be considered by firms as they (i) assess their supervisory, compliance and risk management cybersecurity systems and (ii) make any necessary changes to address or strengthen such systems.
- Governance and Risk Assessment: Whether firms have cybersecurity governance and risk assessment processes to address the key areas discussed below. Examiners may assess whether firms are periodically evaluating cybersecurity risks, as well as the communication and involvement of senior management and boards of directors.
- Access Rights and Controls: Whether firms implement basic controls to prevent unauthorized access and disclosure of information. For example, examiners may review how firms control access to various systems and data via management of user credentials, authentication and authorization methods. This may include evaluating the firm’s controls associated with remote access, customer logins and firm protocols to address problems therewith, passwords, tiered access and network segmentation.
- Data Loss Prevention: Assessment of a firm’s controls regarding patch management and system configuration. Examiners may assess how firms monitor the amount of information distributed outside of the firm by its employees or through third parties by various communication channels, such as email, hard copy or web- based file transfer programs. In addition, examiners may evaluate how firms monitor potentially unauthorized data transfers and verify the authenticity of a customer request to transfer funds.
- Vendor Management: As hacking of third party vendor platforms may have resulted in some of the largest recent data breaches, examiners may focus on firm practices and controls related to vendor management, such as a firm’s due diligence in its selection, monitoring and oversight of its vendors. Examiners may also evaluate whether vendor relationships are considered part of a firm’s ongoing risk assessment process.
- Training: As employees and vendors can put a firm’s data at risk without proper training, examiners may focus on how cybersecurity training is tailored to specific job functions. As employees and vendors can also be very helpful in protecting against cybersecurity breaches, examiners may assess a firm’s training and whether it is designed to encourage responsible employee and vendor behavior. Finally, examiners may review the response procedures in place in the event of a cybersecurity incident and whether an incident response plan is integrated into the regular training of employees and vendors.
- Incident Response: Due to increased risks of cybersecurity attacks and potential future breaches, examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities and developed plans to address possible future attacks. Examiners may evaluate how a firm would detect and limit the harm caused by a hacker gaining access to the system. In order to prevent attacks from causing significant harm, firms should determine the data, assets and services that warrant the most protection.
While the Risk Alert focuses on these six primary areas, it is not meant to be comprehensive. Rather, examiners may select additional areas based on new risks identified during the course of the exams. Since cybersecurity includes a broad spectrum of potential risks, registered investment advisers and broker-dealers need to assess their current level of cybersecurity preparedness and tailor their policies accordingly. In addition, factors that may be appropriate for one firm to consider may not be appropriate for another firm. For example, registered investment advisers and broker-dealers outsourcing functions to third party vendors face a different set of cybersecurity challenges than a firm that handles those functions internally.
In order to help registered investment advisers and broker-dealers prepare for the next round of exams, OCIE published a four-page sample request for information as an appendix to the Risk Alert.6 Although it is not intended to be an all-inclusive list, the sample request is an additional resource that firms may utilize to prepare for the upcoming examinations and to assess their cybersecurity preparedness.