The Securities and Exchange Commission on Tuesday released a set of questions for advisors and broker-dealers to answer regarding their cybersecurity preparedness, as the agency starts conducting its second round of cyber-related exams.
OCIE issued its Risk Alert to provide additional information on the areas of focus for the exam division’s second round of cyber exams, which the agency says will involve “more testing to assess implementation of firm procedures and controls.”
An SEC spokesman said the second round of exams will begin “soon,” but will primarily take place in fiscal 2016.
The SEC’s Division of Investment Management released cybersecurity guidance in April to help advisors and funds address their cyber risks.
OCIE published a Risk Alert last April announcing a series of exams it would conduct to identify cybersecurity risks and assess cybersecurity preparedness. Cybersecurity compliance and controls is part of OCIE’s 2015 exam priorities.
Jane Jarcho, national associate director of investment adviser/investment company exams within OCIE, estimated in March at the Investment Adviser Association’s compliance conference that phase two of OCIE’s exams of advisors’ cybersecurity policies would resume this summer, with “most” of the cyber exams to be conducted onsite and to be “shorter” in length yet “more in-depth.”
Brian Rubin, partner with the law firm Sutherland Asbill & Brennan in Washington, says that “all firms should carefully review this alert to see how they would answer these questions, even if they think that the SEC won’t be examining them in the near future.”
The SEC, he says, “isn’t interested in playing ‘gotcha games’; they want firms to take the right steps.”
The Tuesday alert tells firms to ensure they are properly addressing cybersecurity measures in the following areas:
- Governance and Risk Assessment: Examiners may assess whether registrants have cybersecurity governance and risk assessment, as well as whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business, including involvement of senior management and boards of directors.
- Access Rights and Controls: Examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.
- Data Loss Prevention: Some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration. Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners also may assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.
- Vendor Management: Due to hacking of third-party vendor platforms, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms.
- Training: Examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior, as well as review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
- Incident Response: Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events.
– (Vote for the best cyber security risk managers at our sister site PC360)