In an April 15, 2014 Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspection and Examinations (OCIE) announced that it would conduct examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cybersecurity. OCIE administers the SEC’s nationwide examination and inspection program of registered broker-dealers, investment advisers, investment companies, the national securities exchanges, clearing agencies, SROs, such as Financial Industry Regulatory Authority (FINRA), the Municipal Securities Rulemaking Board (MSRB) and the Public Company Accounting Oversight Board (PCAOB). OCIE stated that “[t]hese examinations will help identify areas the Commission and the industry can work to protect investors and our capital markets from cybersecurity threats.” OCIE’s Risk Alert comes on the heels of the SEC’s recent Cybersecurity Roundtable, which was a gathering of industry and regulators to discuss the issues and challenges cybersecurity raises for market participants and public companies, and how they are addressing those concerns.
In its Risk Alert, OCIE provided a sample request for information and documents that it may ask for from firms in its cybersecurity initiative. Some of the questions asked track information outlined in the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity.” OCIE’s sample requests focus on five specific topic areas—
- Identification of risks/cybersecurity governance;
- Protection of firm networks and information;
- Risks associated with remote access and funds transfer requests;
- Risks associated with vendors and other third parties; and
- Detection of unauthorized activity.
The sample requests also asks how firms identify relevant best practices and whether firms have experienced certain events since January 2013. These events include the detection of malware; a denial of service attack; impairment of the availability of critical firm web or network resources; a breach of the firm’s network by an unauthorized user; the compromise of a customer or vendor’s computer used to remotely access the firm’s network; the receiving of fraudulent emails purportedly from customers seeking to direct transfers of customer funds or securities; an extortion attempt by an individual or group threatening to impair access to or damage the firm’s data, devices, network, or web services; and the misappropriation of funds, securities, sensitive customer or firm information or damage to the firm’s network or data by an employee or authorized user of the firm’s network. OCIE requests that firms provide detailed information regarding the above events, including how some of those events were caused and remedied.
Given OCIE’s Risk Alert and the SEC’s focus on cybersecurity, all registered market participants should reassess and reevaluate their cybersecurity policies and procedures. Registered market participants should compare their policies to OCIE’s sample requests for information to ensure that there are not areas or issues for which their policies and procedures do not cover.