SEC’s OCIE Cybersecurity Risk Alert Announces Cybersecurity Examination Initiative

On September 15, 2015, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert announcing a new Cybersecurity Examination Initiative. The Alert provides the agency’s areas of focus for its next round of cybersecurity examinations of broker-dealers and investment advisers.

The new Alert follows the agency’s April 2014 announcement of upcoming examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry.  In February 2015, OCIE released a summary of the findings from its first round of examinations.

The OCIE’s new initiative is designed to assess the ability of broker-dealers and investment advisers to protect customer and client information and to test the implementation of cybersecurity-related controls.  The SEC has indicated it will focus on the following areas:

  • Governance and Risk Assessment
  • Access Rights and Controls
  • Data Loss Prevention
  • Vendor Management
  • Training
  • Incident Response

To promote compliance and provide notice to the industry where it sees risks, OCIE attached a sample request for information and documents in an appendix to the recent Risk Alert.  Some questions in the sample request track the “Framework for Improving Critical Infrastructure Cybersecurity” issued by the National Institute of Standards and Technology (NIST).  In general, the sample request calls for information regarding firm policies and procedures related to specific elements of the six topic areas highlighted in the bullet points above.  Of particular note for senior management, OCIE’s examination would seek governance documents relating to Board minutes and briefing materials, if applicable, regarding: cyber-related risks; cybersecurity incident response planning; actual cybersecurity incidents; and cybersecurity-related matters involving vendors.

OCIE also expects firms to have materials regarding “data mapping” and internal “ownership” with respect to customer personal information.

For more information, the entire Risk Alert, issued on September 15, 2015, can be found here.