Main content


Briefing

SEC continues to push forward with cybersecurity initiatives

On April 15, 2014, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Cybersecurity Initiative Risk Alert (“Risk Alert”).1    The Risk Alert — which underscores the SEC’s increasing focus on cybersecurity preparedness — follows a March 26, 2014 Cybersecurity Roundtable (the “Roundtable”) during which the SEC emphasized “the compelling need for stronger partnerships between the government and private sector” to address cyber threats.”2

OCIE’s cybersecurity initiative is designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s experience with cyber threats.  As part of the initiative, OCIE will conduct examinations of more than 50 registered broker-dealers and registered investment advisors in the areas of:

  • Cybersecurity governance / Identification and assessment of cybersecurity risks;
  • Protection of networks and information; 
  • Risks associated with remote customer access and funds transfer requests; 
  • Risks associated with vendors and other third parties; 
  • Detection of unauthorized activity; and
  • Experiences with certain cybersecurity threats.

The Risk Alert contains a seven-page sample document request consisting of 28 comprehensive questions that the SEC may use in conducting examinations for registered entities regarding cybersecurity matters. The questions cover the firm’s cybersecuity risk and management processes; cybersecurity risk management policies (and whether the firm uses the standards set forth by the National Institute of Standards and Technology or the International Standards Organization); risks and procedures for on-line account access; encryption; incident response planning; disaster recovery/business continuity plans; and cyber insurance. 

The Risk Alert highlights for firms “risks and issues that the staff has identified” and is intended to “empower compliance professionals with questions and tools” to assess their firms cybersecurity preparedness. The sample requests in the Risk Alert also reflect some of the overall themes that emerged during the Roundtable including:

  • The increasing role of the board of directors/senior management in cybersecurity. One of the key themes at the roundtable was the instrumental role that board of directors and senior management should play in leading an organization’s cybersecurity preparedness and resilience to cybersecurity attacks. One panelist opined that senior management can play an important role in creating a cybersecurity culture that “starts at the keyboard” and in which cybersecurity is not seen as a technology issue for the IT department to resolve but a business issue in which all employees take action and understand their role in protecting their companies. In that regard, the Risk Alert sample requests ask detailed information on cybersecurity roles and responsibilities and business continuity plans.
  • The role of information sharing in combating cyber-threats. The Roundtable panelists agreed that information sharing between industry participants, the private sector and government is critical to tackle cybersecurity challenges. In that regard, the sample requests in the Risk Alert specifically ask about reporting of cyber incidents to various governmental and industry organizations.
  • Cybersecurity risks are dynamic and continuing. The Roundtable panelists discussed how there is no “one size fits all approach to cybersecurity and there is no “compliance checklist.” Cybersecurity threats are variable and dynamic and may emerge from a variety of sources, including political “hacktivists,” criminals out for financial gain, terrorists, and foreign nation-states. Accordingly, cyber-threats should not be considered a problem to overcome, but a continuing risk that must be managed. The breadth of the questions in the Risk Alert are aimed at identifying the different (and common) ways in which firms are targeting cybersecurity.

The Risk Alert is yet another indication of the SEC’s increasing concern about cybersecurity and the results of the examination are likely to result in additional cybersecurity regulations. The SEC’s approach mirrors that taken by the Prudential Regulation Authority in the UK which has similarly issued a questionnaire to regulated businesses regarding their cyber security practices. To view our previous briefing related to this, please click here. Indeed, the UK Government and EU institutions are actively promoting information sharing as a means to strengthen businesses against attack.

SEC regulated entities should thus carefully evaluate existing cybersecurity policies in light of the sample request. Firms and companies regulated by the SEC that have not implemented a cybersecurity program should begin the process.

-------------------------------

1 OCIE Cybersecurity Initiative, National Exam Program Risk Alert.

2 Chair Mary Jo White, “Opening Statement at SEC Roundtable on Cybersecurity” (March 26, 2014).