On April 15, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a risk alert, which notified investment advisors that its upcoming examinations will focus on cybersecurity. The risk alert follows OCIE’s announcement of its 2014 examination priorities identifying technology as a significant initiative, and the SEC’s March 26 cybersecurity roundtable, which emphasized the need for stronger partnerships between the SEC and the private sector to address cybersecurity threats. These recent actions unmistakably signal that the SEC is focused on cybersecurity as a critical public threat.
Shortly after releasing the risk alert, the SEC began conducting examinations of more than 50 registered broker-dealers and investment advisors to gauge “cybersecurity preparedness.” These examinations are ostensibly designed to help the SEC identify the areas in which SEC-registered entities are already addressing cybersecurity threats and, of course, those areas where cybersecurity measures could be improved.
For these examinations, the SEC provided a sample list of questions that comprises 28 requests with multiple sub-parts. The list addresses a broad range of issues and technical complexity. For example, one of the simpler questions is whether an RIA maintains an inventory of the physical devices and systems used at the firm. Some more complex questions include whether the RIA maintains protection against distributed denial of service (DDoS) attacks for critical Internet-facing IP addresses; whether the RIA maintains baseline information about expected events on the firm’s network; and whether the RIA aggregates and correlates event data from multiple sources to assist in detecting unauthorized activity on its networks or devices.
Other questions address whether RIAs allocate liability for cybersecurity breaches that adversely affect their clients. In particular, Question 8 asks whether the RIA maintains insurance specifically covering losses and expenses attributable to cybersecurity incidents. In addition, Question 17 asks RIAs to provide sample copies of vendor agreements to show whether they incorporate requirements relating to cybersecurity risk. These questions not only trigger RIAs to develop policies and procedures, but also to potentially obtain cybersecurity insurance policies and update their third-party vendor and confidentiality agreements to specifically address liability for cybersecurity breaches.