On September 15, 2015, the Security and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert to provide additional information on the areas of focus for its second round of cybersecurity examinations. The OCIE’s initial cybersecurity examinations in 2014 were to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry. The second round of examinations will focus on areas including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. The most recent Risk Alert puts registered broker-dealers and investment advisers on notice of several controls that examiners may evaluate. One of the OCIE’s stated goals in issuing the most recent Risk Alert is to “encourage registered broker-dealers and investment advisers to reflect upon their own practices, policies, and procedures with respect to cybersecurity.”
Highlights of the guidance include the following. For governance and risk assessment, examiners will evaluate whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business and review the communication to, and involvement of, senior management and boards of directors. For access control, examiners may review controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.
The OCIE specifically called out vendor management as a focus area because several large data breaches resulted from the hacking of the breached entity’s third party vendors. Examinations may review firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors and contract terms. Examiners may also assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.
Similarly, the OCIE specified training as an important review area because the lack of proper training of a firm’s employees and vendors may put its data at risk. Therefore, examiners may evaluate how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior, including proper responses to cyber incidents under an incident response plan.
In addition to providing guidance on areas of focus for the examiners, the Risk Alert also includes a sample list of information that the OCIE may review in conducting examinations of registered entities regarding cybersecurity matters.