SEC Issues Cybersecurity Risk Alert
On April 15th, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert concerning its initiative to assess the cybersecurity preparedness of the securities industry. The Risk Alert states that OCIE will conduct examinations of more than 50 registered broker-dealers and investment advisers in order to identify areas where the SEC and the industry “can work together to protect investors and our capital markets from cybersecurity threats.”
To facilitate compliance, the Risk Alert includes a sample information request (“Request”) that outlines the following areas where OCIE sees risk and will focus its examinations:
- Identification of Risks/Cybersecurity Governance
- Protection of Firm Networks and Information
- Risks Associated with Remote Customer Access and Funds Transfer Requests
- Risks Associated with Vendors and Other Third Parties
- Detection of Unauthorized Activity
- Experiences with Certain Cybersecurity Threats.
The Request provides a detailed roadmap of factors that firms may wish to consider in assessing their supervisory, compliance, and risk management systems. The 28 factors listed include several questions relating to:
- network security,
- physical security,
- periodic cybersecurity risk assessments,
- contracting with and monitoring vendors and other third parties,
- cybersecurity roles and responsibilities for employees and managers, and
- cybersecurity insurance.
The Risk Alert follows closely on the heels of the SEC’s Cybersecurity Roundtable held on March 26, during which Chair Mary Jo White stated that the SEC’s “formal jurisdiction over cybersecurity is directly focused on the integrity of our market systems, customer data protection, and disclosure of material information.” Although the Risk Alert focuses on registered broker-dealers and investment advisers, other SEC-regulated entities that maintain client accounts or directly process customer transactions on an application-way basis may find it prudent to review the factors identified in the Risk Alert and keep a close eye on how these examinations play out in the coming year.