Securities and Exchange Commission (SEC) to Examine Registered Broker-Dealers’ and Investment Advisers’ Procedures for Countering Cybersecurity Threats
Thursday, April 24, 2014
Print Mail Download i

Background and Purposes

On April 15, 2014, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a “Risk Alert” explaining a new initiative to assess cybersecurity preparedness in the securities industry.  Although not an official rule, regulation or statement of the SEC, the Risk Alert advised that OCIE will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, regarding their cybersecurity and data security procedures and policies.

OCIE’s cybersecurity initiative is designed to obtain information about the industry’s recent experiences with certain types of cyber threats.  The examinations will focus on the following topics: the firm’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain specific cybersecurity threats.

Questions Registered Entities May be Asked

As an appendix to the Risk Alert document it released this week, OCIE included a sample list of requests for information that OCIE may use to assess registered firm’s preparedness to deal with cybersecurity threats. A primary area of OCIE inquiry is the firm’s internal policies and procedures for data preservation and cybersecurity.  For example, one sample question asks the firm to identify the last time it completed certain cybersecurity precautions, such as: preparing a firm-wide inventory of physical devices and systems; mapping network resources, connections and data flows; and cataloguing connections to the firm’s network from external sources.  Another asks the firm whether it maintains data breach/cybersecurity insurance, and if so, the firm is asked to describe the nature of the coverage and whether the firm has filed any claims against the policy.  The OCIE also asks if the firm maintains written data destruction policies or cybersecurity incident response policies, and if so, the firm is asked to provide copies of the policies and identify the date they were last updated.

Unsurprisingly, the security of customer-related data and fund transfer information is also a primary OCIE focus.  One sample question asks the firm about its customers’ online account access platform, including how customers are authenticated for online transactions, a description of any security measures used to protect stored customer PINs, and software used to detect anomalous transaction requests that may be the result of compromised customer access.  Another question asks for a copy of the firm’s procedures for verifying the authenticity of email requests seeking to transfer customer funds.

OCIE also plans to inquire about risks related to vendors and other third parties.  The sample questions include cybersecurity requirements the firm incorporates in contracts with third parties; policies, procedures and training provided to third parties about cybersecurity; and how the firm segregates network components to which third parties have access from purely internal components.

Other areas of inquiry include how the firm detects unauthorized activity on its networks and devices, whether the firm conducts “white-hat” hacker penetration tests and vulnerability scans; how the firm identifies and implements “best practices” for cybersecurity; and whether (and how) the firm has been the target of digital attacks or data breaches, and how it responded to those incidents.

Conclusion

The regulatory environment for cybersecurity compliance in all business sectors is fast-moving, particularly for companies in the financial services industry. This is clearly an area to which the SEC is giving a great deal of attention and the sample requests signal the specific concerns that the SEC has identified thus far. The OCIE Risk Alert to broker-dealers and investment advisers comes less than three weeks after the SEC held a day-long roundtable discussion on cybersecurity.

© 2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

Current Legal Analysis

More from Faegre Drinker

SCOTUS Denies Certiorari in Cases Concerning FCA Liability Requirement, Objective Falsity Circuit Split Remains Intact
by: Commercial Litigation Practice Group
Groundbreaking Fourth Circuit Decision Upholds Private Plaintiff’s Successful Effort to Unwind a Consummated Merger
by: Kathy L. Osborn , Emily E. Chow
Travel Bans and Quarantine Hotels: Traveling to the U.K. During COVID-19
by: Hodon Anastasi
TCPA Plaintiff Argues he wasn’t Injured in Attempt to Dodge Federal Jurisdiction
by: Marsha J. Indych , Renée M. Dudek
Silver Lining: COVID-19 Engagements Allow More Time for Premarital Financial Planning
by: Jaime A. Quick
Biden EPA Makes First Moves to Address PFAS in Drinking Water
by: Bonnie Allyn Barnett , Brandon W. Kirkham
Predicting the Enforcement Priorities of the Biden DOJ
by: Thomas J. Kelly , Daniel E. Pulliam
New York City Council Imposes Stricter Discipline Requirements on Fast Food Employers
by: Gerald T. Hathaway
Disclosure of Binding Arbitration Not Required In Consumer Warranties, Says Florida Supreme Court
by: Traci T. McKee , Lexi C. Fuson
FCC Order Causes Confusion Regarding Consent Required for Informational Calls to Residential Landlines
by: Matthew M. Morrissey

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins