In April 2014, the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert announcing its first cybersecurity sweep initiative. Pursuant to that initiative, the OCIE conducted an examination sweep of 57 registered broker-dealers and 49 registered investment advisors from a cross-section of the securities industry to assess their vulnerability to cyber-attacks. On February 3, 2015, the OCIE published a summary of the results of this examination sweep. We previously published an update on that OCIE summary report on March 8, 2015.
Following this initial examination sweep, cyber security within the securities industry remains a hot-button issue for the SEC. On January 13, 2015 the OCIE disclosed its examination priorities for 2015 which included a continued focus on cyber security compliance and controls. The OCIE issued a Risk Alert on September 15, 2015 announcing a second round of cyber security examinations which also provided some guidance on the subject matter of those examinations in order to assist firms in their preparations.
The OCIE noted that the second round of examinations would emphasize testing aimed at assessing the implementation of firm cyber security procedures and controls. This focus is intended to build on the 2014 examination sweep and further assess the securities industry’s cyber security preparedness and ability to protect broker-dealer customer and investment advisor client information. This emphasis is also occasioned by public reports about cyber security breaches arising from weaknesses in basic controls. The OCIE noted that this round of examinations will focus on the following areas:
Governance and Risk Assessment. Securities firms should be prepared to discuss cybersecurity governance and risk assessment processes relative to the other key areas that will be the subject of the examination. This assessment will include an evaluation of whether the firm periodically evaluates its cybersecurity risk and whether controls and risk assessment processes are specifically tailored to the firm’s business. The role of senior management and boards of directors in such risk assessments will also be examined.
Access Rights and Controls. Examiners may assess a firm’s implementation of basic controls to prevent unauthorized access to their systems and information such as multifactor authentication and making sure data access rights are updated based on changes in personnel or information systems. Firms should be prepared to discuss the management of user credentials, authentication and authorization methods including remote access and customer account log-ins.
Data Loss Prevention. An assessment by the OCIE of controls governing software patch management and system configuration can also be expected. This may including how a firm monitors the volume of information transferred outside of the firm by employees or third parties, and how a firm monitors for unauthorized transfers of protected data (i.e, exfiltrations). This may include assessing which data and assets require the most protection so as to minimize the resultant harm from any potential future breach, as well as conducting penetration and vulnerability tests of the firm’s computer systems to assess potential weaknesses.
Vendor Management. The hacking of third party vendors has resulted in some of the largest data breaches. Firms can thus expect the OCIE to focus on firm practices and controls related to vendor management – due diligence of vendors, monitoring, auditing and other oversight, and the inclusion of provisions in vendor contracts addressing cyber security issues.
Training. The proper training of employees and third party vendors regarding the handling of a firm’s data will also be a focus of the examination, particularly given the increasing occurrence of social engineering exploits (e.g. phishing and vishing) as a gateway to data breach events. Firms should be prepared to demonstrate that cyber security training is specifically tailored to each employee’s job functions and that such training is designed to encourage responsible behavior by employees and vendors. Firms can expect to be asked to demonstrate that employees and vendors have received training specifically on responding to cyber incidents as part of their regular training.
Incident Response. Securities firms should be prepared to prove that they have policies and procedures in place to respond to a data breach incident and quickly commence the repair and recovery phase. This would include having an incident response team comprised of personnel with various required technical, management, legal and procedural skills, along with documentation that the incident response plan has been tested and evaluated.
While the foregoing categories will be the focus for the second wave of cyber security examinations, the OCIE made clear that this list is not exhaustive. An Appendix to the recent Risk Alert provides a sample list of information and documents that the OCIE may request during any such examination. In order to prepare for the next wave of examination sweeps, a firm should consider reviewing its ability to address the foregoing subject matters and to provide the documents and information listed in the Appendix.