On September 15, 2015, OCIE issued a risk alert relating to its new cybersecurity examination initiative. This is the second round of these examinations, and the alert provides a detailed look at OCIE’s current areas of focus.
The examinations will involve testing broker-dealers and investment advisers to assess implementation of their cybersecurity procedures and controls. The risk alert includes a sample document request detailing the materials that OCIE will seek to review in connection with these examinations.
OCIE’s new examination plan builds on examinations that were initially announced in April 2014 (see our related client alert here), which enabled OCIE to gain better insights into prevailing cybersecurity practices and procedures, and potential deficiencies, in the industry. As a result, key topics of the new examinations will include:
- cybersecurity governance and risk management;
- system access rights and controls;
- data loss prevention;
- management of third party vendors which may place customer information at risk;
- employee and vendor training; and
- responses to suspected incidents.
As we have discussed in prior client alerts, the SEC is committed to assessing and encouraging cybersecurity readiness in the industry. For example, the SEC has been fairly active in enforcing Rule 30 of Regulation S-P (Privacy of Consumer Financial Information), the so-called “Safeguards Rule,” and has imposed significant fines when it has identified deficiencies in a firm’s customer information compliance policies and procedures, distribution of limited or insufficient written materials regarding safeguarding customer information, or a failure to implement adequate controls to safeguard customer information. Moreover, OCIE identified cybersecurity as one of its exam priorities announced in January 2015 and FINRA announced its own examination of cybersecurity practices in 2014 (see our related client alert here).
In light of the seriousness of highly publicized intrusions into commercial websites during the last few years, we would not be surprised to see the SEC and/or FINRA initiating additional enforcement actions arising from any deficiencies in a firm’s readiness to respond to the growing threat presented by hackers.
Whether or not OCIE examines a particular a firm’s cybersecurity practices, OCIE clearly seeks to encourage all industry participants to consider carefully their own practices, policies, and procedures with respect to cybersecurity. To that end, the risk alert provides significant detail in order to prepare for an examination, and to internally review and evaluate a firm’s current practices. The sample document request included in the risk alert can be used to better understand OCIE’s views as to cybersecurity, whether any differences as compared to its own practices exist and, if so, whether those differences can be adequately explained based on the nature of the firm’s business or otherwise. Clearly, OCIE views cybersecurity as central to the enterprise, and expects that commitment to be reflected in board discussions and efforts at the senior management level.