As part of its increased attention to cybersecurity preparedness, the U.S. Securities and Exchange Commission's Office of Compliance Inspections and Examination (OCIE) recently announced it will perform cybersecurity preparedness examinations on more than 50 registered investment advisers and broker-dealers.
The SEC's decision underpins concerns raised by SEC Chair Mary White in her opening statement at the SEC Roundtable on Cybersecurity in March 2014. The growing security threat to the U.S. financial system and its institutions in light of the Target breach and persistent attempts by hackers to gain access to U.S. and global financial infrastructure were among the concerns expressed. In his follow-on statements during the Roundtable, SEC Commissioner Luis Aguilar noted a 2012 global survey of securities exchanges in which 89% identified cyber-crime as a potential systemic risk and 53% reported experiencing a cyber-attack in the previous year. The SEC has determined that investment advisers, broker-dealers, and fund managers provide a "back door" through which hackers can gain access to sensitive financial information about U.S. and global financial architecture and institutions. In the wake of these concerns, the SEC is likely to focus its examinations of registered investment advisers and broker-dealers on the following areas:
- cybersecurity governance policies and practices
- protection of networks and information
- identification of cybersecurity risks
- funds transfer requests
- remote customer access
- third party systems
- means for detecting unauthorized access and activity
- past performance in response to cybersecurity threats
As part of its document requests to advisers and broker-dealers, the OCIE will likely seek detailed information regarding:
- the firm's practices for detecting unauthorized network and device activity and the key persons responsible carrying out such practices
- whether the firm has had cybersecurity breaches since January 1, 2013, and the nature, duration, frequency, and severity of such events and related remediation efforts by the firm
- the firm's third party contractors and business partners who conduct remote maintenance and cybersecurity risk assessments on such vendors and partners
- on-line account access, customer authentication procedures, including PINs, deletion software, and information given to customers regarding cybersecurity threats
While threats and actual breaches remain likely to occur, the SEC is endeavoring to ensure that registered investment advisors and broker-dealers are acting proactively to staunch risks to their cybersecurity architecture, investors, and customers.
In order to prepare for such examinations, registered investment advisers and broker-dealers should undertake a thorough review of existing cybersecurity policies and procedures, including related supervisory, compliance, and risk management systems. In addition, investment advisers and broker-dealers should take steps now to address and/or to strengthen cybersecurity policies, procedures, and systems and to collate all relevant documentation evidencing such compliance in order to timely and thoroughly respond to OCIE document requests.