SEC’s New Cybersecurity Guidance Sets Regulatory Expectations for Investment Advisers and Broker Dealers
The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently issued a Risk Alert announcing the second round of examinations under its cybersecurity examination initiative. The Risk Alert details areas of focus for the next wave of examinations of investment advisers and registered broker-dealers. In 2014, OCIE launched its cybersecurity exam initiative to better understand the cybersecurity practices in the securities industry. The findings were released in February 2015 in OCIE’s Cybersecurity Examination Sweep Summary.
This round of examinations is expected to be far more detailed than in the past. According to OCIE, the areas of focus in the upcoming exams will include:
● Governance and Risk Assessment: To assess whether registrants have adequate cybersecurity governance and risk assessment processes, OCIE may request firm policies and procedures relating to protection of customer information, patch management practices, periodic risk assessments, and penetration testing. Additionally, OCIE may request board minutes and briefing materials relating to cybersecurity incidents, cybersecurity response planning, and cybersecurity-related matters involving vendors, as well as information about the firm’s organizational structure and Chief Information Security Officer (or equivalent position).
● Access Rights and Controls: OCIE may review how firms control access to systems and data through user credentials, authentication, and authorization methods. This may involve a review of the firm’s policies regarding passwords, remote access, customer logins, protocols to address customer login problems, network segmentation, and tiered access. Additionally, OCIE may review the firm’s policies and procedures regarding employee access rights and access by unauthorized persons to firm networks and devices.
● Data Loss Prevention: OCIE may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties. OCIE also may assess how firms monitor for potentially unauthorized data transfers and verify the authenticity of a customer request to transfer funds. OCIE may review the firm’s policies for data loss prevention and request information about data mapping and systems, utilities, and tools to prevent, detect, and monitor the loss of personally identifiable information and access to customer accounts.
● Vendor Management: OCIE may scrutinize the firm’s policies, practices, and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms.
● Training: To minimize data breaches caused by employee error (e.g., misplaced laptops, unsecured internet connection, and improper downloading), OCIE will examine the firm’s training practices, assess whether the training is tailored to specific job functions, and determine whether the training is designed to encourage responsible employee and vendor behavior.
● Incident Response: OCIE may assess whether firms have established policies, assigned roles, and developed plans to address potential future cyber incidents, including determining whether the firm is adequately safeguarding its most critical data, assets, and services. OCIE may request documents about the firm’s tests of its incident response plan. Additionally, OCIE may request documents regarding internal or external distributions of personally identifiable information, as well as records of the amount of actual customer losses associated with cyber incidents.
We will be writing more about the SEC’s continued focus on cybersecurity and are actively monitoring developments in this area. In the meantime, compliance professionals should familiarize themselves with this new guidance, and be mindful of this more focused scrutiny on cybersecurity governance from the Commission.