As part of its continuing emphasis on cybersecurity preparedness in the securities industry, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert on September 15, 2015 outlining the focus areas for its 2015 Cybersecurity Examination Initiative. This announcement of focus topics for a second round of examinations of registered investment advisers and broker-dealers follows the February 2015 release of OCIE’s summary observations of the results of its initial round of cybersecurity examinations conducted under its 2014 initiative and highlights the SEC’s emphasis on the importance of cybersecurity compliance and controls.
This second round of examinations will involve gathering additional information on cybersecurity controls and procedures as well as testing to assess the implementation of such controls and procedures by registered investment advisers and broker-dealers. The Risk Alert highlights the following focus areas for the 2015 initiative:
- Governance and risk assessment. A review of whether SEC-registered entities have cybersecurity governance and risk assessment processes relative to each of the focus areas included under the 2015 initiative discussed below. Possible examination items include whether SEC-registered entities are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their specific lines of business. As part of their assessment, SEC examiners may review the level of communication to, and involvement of, senior management and boards of directors when reviewing cybersecurity-related matters, particularly risk assessment and response planning. OCIE may request and seek to review board minutes and briefing materials related to discussion of cybersecurity risks, vendor-related matters, response planning and/or responses to actual cybersecurity incidents.
- Access rights and controls. A review of how SEC-registered firms control access to various systems and data via management of user credentials, authentication, and authorization methods for firm employees, clients and third-party vendors. Items under examination may include a review of controls associated with remote access to a firm’s system by both firm-issued and personal devices, customer logins, passwords, firm protocols to address customer login problems, customer fund transfer request authentication, network segmentation and tiered access. Examiners may also gather information related to a firm’s internal audits of its access rights and controls.
- Data loss prevention. A review of enterprise data loss prevention, including possible assessment of how a firm monitors the volume of content transferred outside of the firm by its employees or through third parties by various distribution channels, including email attachments, web-based file transfer programs or uploads, among others. Examiners also may assess how a firm monitors for potentially unauthorized data transfers (both prevention and detection of data loss) and classification of data by risk level.
- Vendor management. A review of firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, ongoing monitoring and oversight of vendors, vendor access control to firm systems, and contract terms and approval processes. Examiners may assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor. Examiners may also review information related to third-party vendors that provide cybersecurity-related services for risk mitigation.
- Training. A review of firm practices for training employees, third-party vendors and business partners regarding information security and risks. Examiners may gather information related to training methods, training materials provided, how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior. Examiners may also review how procedures for responding to actual cyber incidents under an incident response plan are integrated into regular employee training.
- Incident response. A review of whether firms have established policies, assigned roles, assessed system vulnerabilities and developed plans to address possible mitigation of the effects of a cyber incident and/or recovery from an incident. Examiners may gather information related to risk assessment determination of which firm data, assets and services warrant the most protection to help prevent attacks from causing significant harm, tests of incident responses and procedures, and responses to actual incidents (including discovery process, escalation and remediation efforts taken). Examiners may also seek information related to cybersecurity insurance coverage, the amount of customer losses associated with an incident and any reimbursement of losses by the firm.
As part of the Risk Alert, OCIE has included a sample request letter for information and documents that it may ask for while conducting examinations of SEC-registered entities. Although the list is not all-inclusive and OCIE will tailor its requests for information based on the business model and systems of the entity under examination, the sample request is a useful guide for registered investment advisers and broker-dealers who may be called upon for information as part of the 2015 initiative to review their internal controls and begin preparing for a possible exam. The Risk Alert notes that “the NEP (National Exam Program) hopes to encourage registered broker-dealers and investment advisers to reflect upon their own practices, policies, and procedures with respect to cybersecurity.” SEC-registered firms should take the time now to review existing policies, controls and procedures related to cybersecurity with compliance staff and counsel. Aside from the reputational and business risks involved with an inadequate response to a high-profile cybersecurity breach, financial institutions registered with the SEC are required under Regulation S-P to have documented policies and procedures for protecting customer information and records.