On April 15, 2014, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released a National Exam Program Risk Alert announcing a targeted exam initiative geared toward assessing “cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with . . . cyber threats.” The initiative will target over 50 registered broker-dealers and investment advisers and generally seek information on:
- Cybersecurity governance.
- Identification and assessment of cybersecurity risks.
- Protection of networks and information.
- Risks associated with remote customer access and funds transfer requests.
- Risks associated with vendors and other third parties.
- Detection of unauthorized activity.
- Experiences with prior attacks and certain identified threats.
At the same time, the OCIE also released a sample list of information and document requests designed to address these categories, encompassing 28 enumerated questions. The full release can be reviewed online by clicking here.
The SEC has recently discussed the topic of cybersecurity on multiple occasions, and it is clear that the OCIE will look to make cybersecurity issues a major priority for the foreseeable future. In order to prepare for upcoming examinations, firms are well-advised to begin reviewing their policies and procedures immediately.
Cybersecurity is a constantly shifting paradigm that requires the diligent attention of the firm. The threats are constantly changing and addressing them may affect numerous policies throughout the organization. The following framework is designed to help broker-dealer and investment adviser firms begin working through issues recently raised by the cybersecurity release. However, the actual policies and procedures employed by firms should be informed by the firm’s unique business model, risk profile, and other factors outside the scope of this client alert.
- Form a Cybersecurity Compliance Working Group.
Because of the complexity of these topics, the Working Group should include members of compliance, management, and Information Technology (“IT”). For some items, the Working Group might also include representatives of other departments, such as human resources.
- Determine Which Standards Apply.
First, firms should gather the relevant guidance from the SEC and other applicable regulators to determine the universe of its legal requirements. The Working Group should then determine whether the firm or its systems currently comply with any third-party or independent audits or standards that might inform its process and help respond to regulator inquiries. For example, the National Institute of Standards and Technology (NIST) in February of 2014 released a “Cybersecurity Framework” that some firms may already be complying with, or with which they might draw guidance going forward.
- Perform a Risk Assessment.
The Working Group should perform a detailed risk assessment of the firm’s cybersecurity programs. This should include reviewing the OCIE sample questions with a goal of being able to answer and justify responses to any of the questions presented. The breadth of material published by the SEC has provided the industry with deep insight into what issues the SEC is looking at and what its particular concerns are. As such, there should be relatively few surprises in terms of document requests and inspection focus when compared with other, less granular guidance. Firms should carefully review the sample questions released and use them as an initial roadmap for an internal assessment.
The Working Group should also perform a comprehensive review of all of the hardware and software used in the firm’s business. This might include, for example, a review of the physical and digital methods used to access information: including login credentials, physical access to computer workstations, protocols for remote connection to firm systems, and access to customer information.
The Working Group must also prepare a list of threats, both based upon the firm’s recent experience, news items regarding cybersecurity risks, and guidance released by regulators and industry groups. These threats should be viewed through the lens of the firm’s current structure to determine whether any vulnerabilities exist.
- Plug Any Holes.
Once the risk assessment is complete, the Working Group should engage with other firm personnel as necessary to draft, implement, and carry out any plans to address risks or vulnerabilities uncovered. These plans should be reported to, and reviewed by, the board of directors or other managing entity. Insurance to cover cybersecurity risks should also be considered by the board or similar management entity.
- Prepare Policies.
Much of the work around preparing policies and procedures will involve updating existing policies. If current cybersecurity, IT, customer information, or other similar policies are already in use, they should be amended as necessary to address any vulnerabilities uncovered by the risk assessment. Policies should clearly define reporting and supervisory responsibilities.
Although the exact language of a dedicated “Cybersecurity Policy” will differ from firm to firm and largely depend on the specific risks associated with each firm’s business model, there are four core issues any policy should address. First, the policy should determine how to Identify and Protect against known and unknown external threats. Second, the policy should describe how the firm will Detect breaches, such as loss of customer data, attempted hacking, and the like. Third, the policy should discuss the framework used by the firm to Respond to data loss, attempted incursions, and other actual threats. Fourth, the policy should provide a schedule and process to Review and Revise the procedures, both on an annual and per-incident timeline.
In addition, other related policies may need to be reviewed to conform to the cybersecurity policies. These might include:
- Vendor Access and Review. The Working Group should evaluate the firm’s current policies with respect to vendors. For example, what policies are in place to restrict and monitor vendor access to customer data? Is the vendor’s own internal compliance part of any firm annual risk assessment? Finally, how are vendors selected and reviewed? For example, many financial industry service providers are subject to ongoing compliance audits, and may prepare, for example, an SSAE 16 Report or similar report. These reports can be reviewed by firms to help satisfy them that vendor access to, and use of, customer data is appropriately protected.
- Identity Theft Red Flag Detection Program. These procedures should be reviewed in order to make sure that they properly augment the larger cybersecurity program. The two programs are interrelated, and it is important that they are reviewed together.
- Business Continuity and Disaster Preparedness. Although traditionally focused on catastrophic events such as floods and fires, a firm’s business continuity and disaster incident response programs should be widened to include data security breaches, loss of customer information, and the like. Increasingly, these risks are becoming more likely to occur than traditional physical business interruptions and could prove more costly.
- Annual Assessments. Year-end compliance reports, risk assessment grids, annual reports, and the like should be amended and revised to ensure that such reports discuss and address the unique risks associated with cybersecurity.
- Establish Training Programs.
Once policies and procedures are determined, they should be communicated to appropriate staff. Periodic trainings and supervision will be necessary to ensure compliance. Cybersecurity should be integrated into the firm’s ongoing compliance training programs.
All new policies and procedures should be audited and tested to determine that the safeguards are functioning properly and able to secure against identified risks and threats. Recent statements by the SEC indicate that it is very likely to take a careful look at the actual implementation of the policies implemented.
- Review at Least Annually.
All of the above should be reviewed at least annually to address changes in industry guidance, new threats, and changes to the business model. In addition, interim policy and procedure amendments should be made as needed to address particular emerging threats or significant guidance releases.