The Office of Compliance Inspections and Examinations
("OCIE") of the U.S. Securities and Exchange Commission
has issued a Risk Alert providing information on the areas of focus
for OCIE's second round of cybersecurity examinations.
In April 2014, OCIE published a Risk Alert announcing a series
of examinations to identify cybersecurity risks and assess
cybersecurity preparedness in the securities industry. That was
followed, in February 2015, with the publication of summary
observations of the findings from those examinations. These
discussed some of the legal, regulatory, and compliance issues
associated with cybersecurity.
This latest Risk Alert, published September 15, 2015 is the next
step in the development of the OCIE's assessment cybersecurity
preparedness in the securities industry, including firms'
ability to protect broker-dealer customer and investment advisor
OCIE examiners will be focusing on six areas. These six areas of
examination, and the questions which examiners intend to pursue,
are as instructive for firms outside the securities industry as it
is for registrants.
Governance and Risk Assessment
— Do registrants have cybersecurity governance and risk
assessment processes relative to the key areas of focus discussed
below? Do they evaluate cybersecurity risks on an ongoing basis?
Are controls and risk assessment processes tailored to their
business? What is the level of involvement of senior management and
boards of directors?
Access Rights and Controls — Do
and to what extent do firms employ technologies such as multifactor
authentication? Do they update access rights to correspond to
personnel and system changes? How do registrants control access to
various systems and data via management of user credentials,
authentication, and authorization methods? How do access, customer
logins, passwords, firm protocols to address customer login
problems, network segmentation, and tiered access contribute to
creating or addressing cybersecurity risk?
Data Loss Prevention —
What are the controls in the areas of patch management and system
configuration? How do firms monitor the volume of content
transferred outside of the firm by its employees or through third
parties, such as by email attachments or uploads? How do firms
monitor for potentially unauthorized data transfers and review how
firms verify the authenticity of a customer request to transfer
Vendor Management — What
firm practices and controls govern vendor management, such as due
diligence with regard to vendor selection, monitoring and oversight
of cybersecurity in vendors? What contract terms apply? Are vendor
relationships considered as part of the firm's ongoing risk
assessment process? How do firms determine the appropriate level of
due diligence to conduct on a vendor?
Training — What employee
cybersecurity training is provided and how is it tailored to
specific job functions of given employees? Are procedures for
responding to cyber incidents under an incident response plan or
integrated into regular personnel and vendor training?
Incident Response — Do
firms have established policies and assigned roles? Have they
assessed system vulnerabilities, and developed plans to address
possible future events? Specifically, do firm's data, assets,
and services warrant the most protection to help prevent
The Risk Alert is also instructive because it provides a sample
list of information that OCIE examiners may review in pursuing
their inquiries. These include not only formally articulated
cybersecurity policies, but also documents relating to:
Patch management practices;
Cyber-related risk, response
planning, and incident briefings to the Board;
The firm's Chief Information
Security Officer ("CISO") or equivalent position,
The firm's organizational
structure, particularly information regarding the positions and
departments responsible for cybersecurity-related matters;
Periodic risk assessments;
Access rights and controls;
The implementation of access rights
Verification procedures in fund
Data mapping, especially in respect
of the identification of personal information;
Exfiltration monitoring capabilities
Vendor management policies, including
due diligence, risk assessment and management tracking and access
Business continuity plans and other
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).