SEC Launches Cybersecurity Exams of BDs, Advisors

OCIE Risk Alert provides exam guidance, sample questions to more than 50 broker-dealers and RIAs

More On Legal & Compliance

from The Advisor's Professional Library
  • Recent Changes in the Regulatory Landscape 2011 marked a major shift in the regulatory environment, as the SEC adopted rules for implementing the Dodd-Frank Act.  Many changes to Investment Advisers Act were authorized by Title IV of the Dodd-Frank Act.  
  • Differences Between State and SEC Regulation of Investment Advisors States may impose licensing or registration requirements on IARs doing business in their jurisdiction, even if the IAR works for an SEC-registered firm.  States may investigate and prosecute fraud by any IAR in their jurisdiction, even if the individual works for an SEC-registered firm.

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations said Tuesday that it has launched cybersecurity-related exams of more than 50 registered broker-dealers and registered investment advisors.

In its National Exam Program Risk Alert, OCIE provides BDs and advisors with a list of questions to help them assess their firms’ cybersecurity compliance as well as a sample cybersecurity document request that they can expect from the division.

OCIE is assessing BDs and advisors’ cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.

These exams “will help identify areas where the commission and the industry can work together to protect investors and our capital markets from cybersecurity threats,” the OCIE staff said in the alert.

Some of the questions in the alert track information outlined in the Framework for Improving Critical Infrastructure Cybersecurity, released Feb. 12 by the National Institute of Standards and Technology. But OCIE warns BDs and advisors that the questions in the alert should not be considered "all inclusive" of the information that OCIE may request. Accordingly, "OCIE will alter its requests for information as it considers the specific circumstances presented by each firm’s particular systems or information technology environment."

At a March 26 cybersecurity roundtable held by the SEC at its Washington headquarters, SEC Chairwoman Mary Jo White underscored the importance of cybersecurity surveillance in protecting the integrity of the nation’s market system and customer data.

SEC Commissioner Luis Aguilar suggested that the commission should establish a cybersecurity task force, with members from each division.

Daniel Sibears, executive vice president of regulatory operations and shared services at FINRA, noted at the roundtable that the top risks broker-dealers face in dealing with cybersecurity threats are operational risk, “insider” risks posed by rogue employees and hackers penetrating BD systems.

For advisory firms large and small, “account takeover is the No. 1 risk” when it comes to cybersecurity, added David Tittsworth, executive director of the Investment Adviser Association in Washington. Account takeovers have “grown in frequency in the last year or two,” he said.


Check out Some American Funds Clients Vulnerable to Heartbleed Bug on ThinkAdvisor.

Reprints Discuss this story
This is where the comments go.