Sep 172015

SEC’s OCIE Cybersecurity Risk Alert Announces Cybersecurity Examination Initiative

Alan Charles Raul and Grady Nye
, , , ,

On September 15, 2015, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert announcing a new Cybersecurity Examination Initiative. The Alert provides the agency’s areas of focus for its next round of cybersecurity examinations of broker-dealers and investment advisers.

The new Alert follows the agency’s April 2014 announcement of upcoming examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry.  In February 2015, OCIE released a summary of the findings from its first round of examinations.

The OCIE’s new initiative is designed to assess the ability of broker-dealers and investment advisers to protect customer and client information and to test the implementation of cybersecurity-related controls.  The SEC has indicated it will focus on the following areas:

  • Governance and Risk Assessment
  • Access Rights and Controls
  • Data Loss Prevention
  • Vendor Management
  • Training
  • Incident Response

To promote compliance and provide notice to the industry where it sees risks, OCIE attached a sample request for information and documents in an appendix to the recent Risk Alert.  Some questions in the sample request track the “Framework for Improving Critical Infrastructure Cybersecurity” issued by the National Institute of Standards and Technology (NIST).  In general, the sample request calls for information regarding firm policies and procedures related to specific elements of the six topic areas highlighted in the bullet points above.  Of particular note for senior management, OCIE’s examination would seek governance documents relating to Board minutes and briefing materials, if applicable, regarding: cyber-related risks; cybersecurity incident response planning; actual cybersecurity incidents; and cybersecurity-related matters involving vendors.

OCIE also expects firms to have materials regarding “data mapping” and internal “ownership” with respect to customer personal information.

For more information, the entire Risk Alert, issued on September 15, 2015, can be found here.

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Grady Nye

gnye@sidley.com

You might also like
How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).

The Future of UK Open Banking: Joint Regulatory Oversight Committee Issues Recommendations

The committee of government and regulatory authorities responsible for open banking in the UK has set out its plans and timeframes for expanding and developing infrastructure, standards, and processes for the sector. Central among these are proposals to improve the performance of interfaces among relevant firms, mitigate financial crime risks, and ensure that end users receive sufficient information and are protected if something goes wrong. This Sidley Update summarises the proposals and key points for firms.