In the first post of this series, there was an overview of the SEC’s “OCIE Cyber Security Initiative” and its effect on broker-dealers and registered investment advisers. In this post, there will be a closer analysis of the nine pieces of information that must be provided upon request and their implications for firms.
The scope of the SEC cyber security assessment will require broker-dealers and registered investment advisers to provide the following information upon request:
- The firm’s information security policy, as well as policies and procedures concerning how software and network resources are inventoried and updated. The firm will need to show the SEC that its physical devices and systems, as well as its software platforms, are inventoried. It is imperative that the firm should be able to prove that it creates or updates network resources, connections, and data. The firm should demonstrate that such policies and procedures are periodically reviewed and tested.
- The firm’s cyber security risk assessment process and any findings from recent assessments. The firm must identify individuals or business groups that conduct the assessment and the date that the most recent assessment was completed. The firm should be able to provide records to the SEC of all identified risks and the measures taken to remediate these risks.
- The firm’s cyber security roles and responsibilities, including whether the firm has a chief information security officer or equivalent position. The firm should show the SEC that the information security officer has been given the authority and financing to maintain a staff that can properly design, maintain and oversee a firm’s cyber security system. Here it is essential that the firm maintain written documentation of the information security officer’s role.
- The firm’s insurance for cyber security incidents. A firm must procure insurance that covers against losses and expenses related to cyber security events. Best practices usually require that the firm’s disclose to the SEC the nature of the coverage and of any filed claims and the nature of the resolutions of the claims.
- The firm’s cyber security controls, including written guidance and periodic employee training on information security risks and responsibilities, as well as the firm’s periodic audits of compliance with its information security policies. Copies of any related written materials and identification of the dates, topics, and which groups of employees participated in each training event conducted should be retained by the firm. By recording this data, a firm is able to demonstrate to the SEC that it has taken measures to help minimize the risks of a security breach t caused by human error.
- The firm’s should have a written data destruction policy and cyber security incident response policy (“IRP”). The IRP should include a description of an IRP team which could include the managing member of the firm, the information security officer, and general counsel. The firm will also need to record when the IRP was most recently updated and demonstrate that it conducts tests or exercises to assess its IRP. The firm must also record when and by whom the last such test or assessment was conducted.
- The firm should be able to disclose to the SEC details around the security of customers’ online accounts, which includes the firm’s policies for addressing responsibility for losses associated with attacks or intrusions impacting customers. Where online access is provided, the firm may also be required to disclose to the SEC details around any of the third-parties managing the service, the functionality of the firm’s electronic platform, the authentication process, and the software deployed to detect irregular customer requests. The firm may also be required to disclose the methods they employ to protect customers’ pin number. If a firm offers guaranties to customers against attacks, then best practice requires that copies of these guaranties be provided to the SEC.
- The firm’s procedures for assessing cyber security risks posed by third-party contractors, including the firm’s cyber security risk assessments of vendors and business partners with access to the firm’s networks, customer data or other sensitive information. In addition, the firm should be prepared to provide copies of vendor or third party contractors’ information security plans to the SEC, copies of contracts with outside parties, in which the firm included language dealing with appropriate security measures for a cyber security breach, and any training materials relate to information security procedures and practices.
- The firm’s practices to monitor and detect unauthorized activity on its networks and devices, including procedures for penetration testing and vulnerability scans to improve the firm’s defensive measures. The firm should be able to demonstrate that it has restricted its users’ access solely to network resources necessary for their own business functions. It should also be able to produce copies of the policies and procedures for these control measures to the SEC upon request. Where the firm promotes BYOD, it should be prepared to demonstrate to the SEC that is has adopted technology, procedures, and practices to monitor and detect any type of unauthorized activity on mobile devices.
While the nine points above are a mixture of policies, systems, and practices at the end of the day a lawyer must sign-off. Therefore, it is critical that the firm employs a lawyer that is a cyber security expert and has the requisite technical, legal, and business acumen. Otherwise, the firm can expose itself to unnecessary risks and costs.
It is critical that firms that fall under these guidelines should carefully evaluate their existing cyber security policies and practices in light of the SEC’s extensive sample requests and make any necessary adjustments and improvements. At a high-level, firms should consider undertaking the following steps: (1) conduct periodic risk assessments, (2) evaluate third-party vendor risks, and (3) develop and test incident response plan. Given the current and rapidly evolving importance of cyber security, it is only a matter of time before the SEC will, in the context of its supervising and verifying disclosure of material risks, expand its examinations beyond these few firms to include all publicly listed companies.