Based on recent announcements made by the SEC, publicly traded companies doing business with the United States need to begin focusing on of cyber security. On April 15, 2014, the SEC’s Office of Compliance Inspections and Examinations issued an alert entitled “OCIE Cyber Security Initiative” (the Risk Alert). The Risk Alert is the latest in a series of public announcements made in 2014 on cyber security by the SEC and other financial markets regulators.
In January, FINRA sent sweep letters to broker-dealers to notify them about upcoming assessments of firms’ approaches to managing cyber security threats. In the Risk Alert, OCIE indicated that it will conduct an initial set of examinations of more than fifty registered broker-dealers and registered investment advisers to collect information about the industry’s recent experiences with certain cyber security threats and the level of the industry’s cyber security preparedness.
The examinations will focus specifically on the following areas:
- Cyber security governance and identification
- Assessment of cyber security risks
- Protection of networks and information
- Risks associated with remote customer access and funds transfer requests
- Risks associated with vendors and other third parties
- Detection of unauthorized activity
- Experiences with specific cyber security threats.
The scope of the SEC cyber security assessment will require broker-dealers and registered investment advisers to provide the following information upon request:
- The firm’s information security policy, as well as policies and procedures concerning how software and network resources are inventoried and updated.
- The firm’s cyber security risk assessment process and any findings from recent assessments.
- The firm’s cyber security roles and responsibilities, including whether the firm has a chief information security officer or equivalent position.
- The firm’s insurance for cyber security incidents.
- The firm’s cyber security controls, including written guidance and periodic employee training on information security risks and responsibilities, as well as the firm’s periodic audits of compliance with its information security policies.
- The firm’s should have a written data destruction policy and cyber security incident response policy (“IRP”).
- The firm should be able to disclose to the SEC details around the security of customers’ online accounts, which includes the firm’s policies for addressing responsibility for losses associated with attacks or intrusions impacting customers.
- The firm’s procedures for assessing cyber security risks posed by third-party contractors, including the firm’s cyber security risk assessments of vendors and business partners with access to the firm’s networks, customer data or other sensitive information.
- The firm’s practices to monitor and detect unauthorized activity on its networks and devices, including procedures for penetration testing and vulnerability scans to improve the firm’s defensive measures.
In the second part of this series, there will be a closer analysis of the nine pieces of information that must be provided upon request and their implications for firms.