On April 15, 2014, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert announcing that it will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on each entity’s cybersecurity governance, cybersecurity risks, protection of networks and information, ability to detect unauthorized activity, and other issues related to cybersecurity.
This risk alert is consistent with OCIE’s identification of cybersecurity preparedness as a 2014 Examination Priorities. Further, the alert comes on the heels of the SEC’s Cybersecurity Roundtable last March in which the importance of cybersecurity to the market system and customer data protection were specifically discussed.
This also comes on the heels of FINRA’s Targeted Examination Letter to broker-dealers in January 2014. FINRA also identified cybersecurity in its 2014 Examination Priorities Letter.
In light of this focus, financial services firms should assesses their systems and controls relating to technology. As the regulators have consistently emphasized, it is not enough to have procedures – firms must test those procedures to ensure that the systems and procedures are working as designed. Finally, firms should conduct periodic training of representatives and employees, reminding them of the need to be especially vigilant in safeguarding customer information.
As part of the risk alert, OCIE provided a sample request for information and documents. The sample request, which is attached in its entirety in this bulletin, covers identification of risks/cybersecurity governance; protection of firm networks and information; risks associated with remote customer access and funds transfer requests; risks associated with vendors and other third parties; detection of unauthorized activity; and other. According to OCIE, the sample requests are intended to assist compliance professionals in assessing their firms’ level of preparedness by providing questions and tools for consideration.
Click here to view the OCIE’s risk alert.