Vedder Thinking | Articles SEC Issues Cybersecurity Risk Alert
On April 15, 2014, the SEC's Office of Compliance Inspections and Examinations (OCIE) issued a National Exam Program Risk Alert entitled "OCIE Cybersecurity Initiative" (the Risk Alert).1 The Risk Alert follows the SEC's recent Cybersecurity Roundtable at which SEC Chair Mary Jo White underscored the importance of cybersecurity to "the private data of the American consumer" as well as to "the financial markets and other risks." The Risk Alert is the latest in a series of public announcements on cybersecurity by the SEC and other financial markets regulators in 2014. In January, FINRA sent sweep letters to broker-dealers to notify them about upcoming assessments of the firms' approaches to managing cybersecurity threats.2 Likewise, in February 2014, the CFTC issued Staff Advisory No.
14-21 from the Division of Swap Dealer and Intermediary Oversight outlining recommended best practices, including the development and implementation of a written information security and privacy program for futures commission merchants, commodity trading advisers, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers and major swap participants.3
In the Risk Alert, OCIE has indicated that it will conduct an initial set of examinations of more than fifty registered broker-dealers and registered investment advisers to gain information about the industry's recent experiences with certain cybersecurity threats and the level of the industry's cybersecurity preparedness. Specifically, the examinations will focus on cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity and experiences with certain cybersecurity threats.
The Risk Alert is essentially a "take-home test" for any financial institution or regulated firm preparing for an OCIE examination or conducting its own internal audit to strengthen its data security practices and incident response preparedness. Indeed, the Risk Alert includes a seven-page appendix of sample requests for information and documents that may be used by OCIE in the conduct of the examinations, and encourages compliance professionals to use as a tool to help "assess their firms' level of preparedness, regardless of whether they are included in OCIE's examinations." The sample requests include such areas as:
- The firm's information security policy, as well as policies and procedures concerning how software and network resources are inventoried and updated;
- The firm's cybersecurity risk assessment process and any findings from recent assessments;
- The firm's cybersecurity roles and responsibilities, including whether the firm has a chief information security officer or equivalent position;
- The firm's insurance for cybersecurity incidents;
- The firm's cybersecurity controls, including written guidance and periodic employee training on information security risks and responsibilities, as well as the firm's periodic audits of compliance with its information security policies;
- The firm's written data destruction policy and cybersecurity incident response policy;
- Information regarding the security of customers' online accounts, including the firm's policies for addressing responsibility for losses associated with attacks or intrusions impacting customers;
- The firm's procedures for assessing cybersecurity risks posed by third-party contractors, including the firm's cybersecurity risk assessments of vendors and business partners with access to the firm’s networks, customer data or other sensitive information; and
- The firm's practices to monitor and detect unauthorized activity on its networks and devices, including procedures for penetration testing and vulnerability scans to improve the firm's defensive measures.
The breadth and level of detail covered by the Risk Alert underscore the heightened levels of concern over cybersecurity threats faced by regulated entities. As noted above, the OCIE Cybersecurity Initiative is a clear signal that firms are expected to analyze their cybersecurity risk management processes proactively and in accordance with current best practices. Accordingly, broker-dealers and investment advisers should carefully evaluate existing cybersecurity policies and practices in light of the extensive sample requests and make any necessary adjustments and improvements.
In light of the Risk Alert, firms should consider undertaking the following steps that should be customized to the circumstances and risks specific to the individual broker-dealer or investment adviser:
1. Conducting Periodic Risk Assessments
- Identify potential cybersecurity threats (including physical security threats) to security, confidentiality and integrity of personal and other sensitive information (both customer and internal) and related systems;
- Evaluate effectiveness of current controls in light of identified risks;
- Prioritize resources, assets and systems corresponding to the nature and level of threats and vulnerabilities and revise procedures and controls, as necessary and appropriate, to address and mitigate areas of risk; and
- Determine whether existing insurance policies will cover the anticipated threats identified in the risk assessment, and determine whether separate cyber coverage is needed.
2. Evaluating Potential Third-Party Vendor Risks
- Review due diligence procedures for selecting vendors and procedures for approval/monitoring of vendor access to networks, customer data or other sensitive information;
- Obtain copies of vendor's written information security plans or certifications of compliance with applicable standards; and
- Determine whether contracts with vendors include appropriate security measures, including incident response notification procedures and cyber insurance coverage.
3. Developing and Periodically Testing A Comprehensive Incident Response Plan
- Implement a comprehensive, written incident response plan to proactively respond to actual or suspected cybersecurity events, including incident reporting mechanisms as well as the circumstances that may warrant outside legal and forensic experts and notifications to affected individuals, law enforcement, regulators, media or other third parties; and
- Conduct periodic "table top" exercises of mock cybersecurity events with IT, legal, compliance, human resources and other business stakeholders.
If you have any questions about the OCIE Cybersecurity Initiative, please contact John C. Cleary at +1 (212) 407 7740, Deborah Bielicke Eades at +1 (312) 609 7661, Joel S. Forman at +1 (212) 407 7775, Bruce A. Radke at +1 (312) 609 7689, David A. Sturms at +1 (312) 609 7589, Michael J. Waters at +1 (312) 609 7726 or your Vedder Price attorney.
1 OCIE Cybersecurity Initiative, National Exam Program Risk Alert Vol. 4 Issue 2, p. 1 (Apr. 15, 2014), http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf.
2 See http://www.finra.org/Industry/Regulation/Guidance/TargetedExaminationLetters/P443219.
3 CFTC, Division of Swap Dealer and Intermediary Oversight, Staff Advisory No. 14-21 (Feb. 26, 2014), see http://www.cftc.gov/PressRoom/PressReleases/pr6866-14.