On September 15, 2015, the Office of Compliance, Inspections and Examinations (“OCIE”) at the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert outlining its latest cybersecurity examination priorities for SEC-registered broker-dealers and investment advisers.
In addition to what we have previously reported, this Risk Alert is the latest in a series of announcements on cybersecurity from OCIE. Although OCIE’s jurisdiction within the SEC technically extends only to the examination of certain kinds of regulated securities entities and intermediaries, the Risk Alert also can be instructive to other businesses subject to SEC oversight. As OCIE’s knowledge and sophistication on the topic of cybersecurity continues to improve, we expect that an increasing number of OCIE inspections will lead to referrals to the SEC’s Division of Enforcement for more formal action.
According to OCIE, areas of focus for upcoming examinations of broker-dealers and investment advisers include the following:
Governance and Risk Assessment: OCIE examiners may assess whether registrants have cybersecurity governance and risk assessment processes in place, whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business. Examiners also may review the level of communication to, and involvement of, senior management and boards of directors.
Access Rights and Controls: Examiners may review the manner in which firms control access to various systems and data via account management, authentication and authorization methods. For example, this review may include evaluating controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation and tiered access.
Data Loss Prevention: Examinations may include assessing how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners may also assess how firms monitor for potentially unauthorized data transfers and may review how they verify the authenticity of a customer request to transfer funds.
Vendor Management: Examiners may focus on firms’ practices and controls related to vendor management, such as due diligence, engagement, and monitoring and oversight of vendors. The examinations may include an assessment of how vendor relationships are incorporated into the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.
Training: Examiners may focus on whether training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior. Examiners also may review whether procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
Incident Response: Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities and developed plans to address possible future events. This includes determining which firm data, assets and services warrant the most protection to help prevent attacks from causing significant harm.