OCIE Announces 2015 Priorities in Second Round of Cybersecurity Examinations: New Risks for Securities Firms in Cybersecurity Compliance

The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) on Sept. 15, 2015 issued Risk Alert to announce its new focus on cybersecurity of securities firms and registered investment advisers. Cybersecurity programs of securities firms had best be strengthened, otherwise they may be subject to additional regulatory scrutiny according to the Risk Alert, which is meant to serve as helpful guidance for firms that need to create or heighten a cybersecurity program. The National Exam Program in 2014 conducted cybersecurity examinations on 106 securities firms. As a follow-up to the 2014 SEC security examinations The Risk Alert highlights certain additional measures the national registered entities need to be aware of when the SEC is conducting examinations.

A sample examination request with a list of information that the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations may review in conducting examinations of registered entities regarding cybersecurity matters may be viewed here.

Examiners will be evaluating new details including how broker-dealer customer and/or investment adviser client data is recorded and protected by securities firms. The SEC now may assess whether firms have adequate controls and risk assessment processes that are tailored to firms’ business, and the level of involvement of the senior management and the board of directors in implementing and supervising these processes. Additionally, requests may now be made by cybersecurity examiners into whether data management, vendor management, training policies and practices for vendors as well as employees of firms and vendors, are present, as well as whether firms have an overall data compromise incident response plan and training for that plan.

Reflecting a change in focus toward top-down implementation of procedures and controls, the revised sample examination request may include board meeting minutes and information regarding the firm’s organizational structure. It may be sought from the firm’s Chief Information Security Officer or employees responsible for cybersecurity, including that of firm vendors. This is in contrast to the initial 2014 examination inquiries into whether or not the procedures and controls were merely present.

Examination requests may include seeking descriptions of how firms manage cybersecurity risks for third-party vendors, and information about how firms prevent data loss. Broker-dealer customer and investment adviser client information has been identified in public reports to be subject to weaknesses in basic controls such as the updating of access rights based on personnel changes. Examiners may review how firms control authentication, remote access, tiered access, network segmentation, and firm protocols to address customer login information. Another area subject to scrutiny is for example, in patch management and system configuration.

The internal firm monitoring of the volume of content being transferred outside of the firm will now be assessed by the SEC. This includes by firm employees or through third parties via email attachments or uploads. Examiners may review how firms verify the authenticity of customer requests to transfer funds, for example. Firm controls implemented that are related to vendor management are largely at issue, due to the large data breaches recently by hacking third party platforms. As a result, examiners will be assessing how firms select vendors and oversight of these vendors, and this includes the terms that govern vendor contracts. These vendors need to be included in the firm’s risk assessment processes, and requests by examiners may include internal protocols and procedures regarding it.

Some data breaches result from unintentional employee data mismanagement. Therefore, an examination request may focus on how employee training is tailored to job function. Employee training is designed to encourage responsible employee and vendor behaviors as a first line of defense in a data breach. Taking all these factors in to consideration, examiner requests may assess how integrated an incident response plan is into personnel and vendor training. In evaluating the requisite response plans, the examiners will look to how firm data assets and services have been assessed for cybersecurity priority, and they may also be examining system vulnerability.

Parker MacIntyre provides legal and compliance services to investment advisers, broker dealers, registered representatives, hedge funds, and issuers of securities, among others. Our regulatory practice group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state laws and rules. Please visit our website for more information.