Cybersecurity and the SEC
Cybersecurity is a top priority for the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) again this year as it is seen as important to the integrity of the market system and customer data protection. As entities and advisers increasingly use technology to conduct their business activities, the need to protect confidential and sensitive information related to these activities from third parties is increasingly important.
The OCIE conducts examinations of the nation’s registered entities, including broker-dealers, transfer agents, investment advisers, investment companies, municipal advisers, the national securities exchanges, clearing agencies, SROs such as the Financial Industry Regulatory Authority and the Municipal Securities Rulemaking Board, and the Public Company Accounting Oversight Board. Each year, the OCIE announces its top examination priorities and in January 2016, the OCIE announced its top priorities for this year, which include ongoing risk areas such as cybersecurity, micro cap fraud, fee selection, and reverse churning. “Through information sharing and conducting comprehensive examinations, the OCIE continues to promote compliance with the federal securities laws to better protect investors and our markets,” stated SEC Chair Mary Jo White in a January 11, 2016 press release.
Back in September 2015, the OCIE issued a risk alert to provide additional information on the areas of focus for OCIE’s second round of cybersecurity examinations, which will involve more testing to assess implementation of firm procedures and controls. The areas of focus and what may be performed by the OCIE in their examinations are:
- Governance and Risk Assessment: Assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below, assess whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business, and also review the level of communication to, and involvement of, senior management and boards of directors.
- Access Rights and Controls: Review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.
- Data Loss Prevention: Assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads, and assess how firms monitor for potentially unauthorized data transfers and review how firms verify the authenticity of a customer request to transfer funds.
- Vendor Management: Review firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms. Assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.
- Training: Review how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior, and review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
- Incident Response: Assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. This includes determining which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm.
All entities and advisers should evaluate their compliance in these key areas and read the September 2015 risk alert for more information. As part of OCIE’s efforts to promote compliance and to share with the industry where it sees cybersecurity-related risks, a sample request for information and documents is included in the risk alert.
All entities are at risk of a cybersecurity breach. Shortly after the risk alert was published, the SEC announced on September 22, 2015 that it had settled with an Investment Adviser on charges that the Investment Adviser failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information of approximately 100,000 individuals. An SEC investigation found that the Investment Adviser violated the “safeguards rule” during a nearly four year period by failing to adopt any written rules and policies to ensure the security and confidentiality of personally identifiable information and protect it from anticipated threats or unauthorized access. The Investment Adviser had been hacked and the attack was traced to China. In the settlement, without admitting or denying the SEC’s findings, the Investment Adviser agreed to cease and desist from committing or causing any future violations of the “safeguards rule” (Rule 30(a) of Regulation S-P), agreed to be censured, and agreed to pay a $75,000 penalty.
For more information, go directly to the SEC’s cybersecurity website, http://www.sec.gov/spotlight/cybersecurity.shtml.