OCIE ISSUES REPORT SUMMARIZING FINDINGS AND RECOMMENDATIONS FROM REVIEW OF ONLINE TRADING BROKER-DEALERS

[13141] February 7, 2001 TO: TECHNOLOGY ADVISORY COMMITTEE No. 1-01 RE: OCIE ISSUES REPORT SUMMARIZING FINDINGS AND RECOMMENDATIONS FROM REVIEW OF ONLINE TRADING BROKER-DEALERS The SEC’s Office of Compliance Inspections and Examinations (OCIE) recently conducted a series of examinations of online broker-dealers. Subsequent to the completion of these examinations, OCIE issued a report summarizing its findings and recommendations.* The three areas of the Report that relate to technology issues are summarized below. OPERATIONAL CAPABILITY Section IV of the Report emphasizes the need for online firms to have sufficient operational capacity to accept and process appropriately customers’ securities transactions. The Report recommends that firms: establish capacity estimates; periodically evaluate the capacity of their systems; develop procedures for handling system capacity problems; and use every reasonable effort to notify customers of operational difficulties. The Report further recommends that firms consider: • evaluating the adequacy of backup systems and the advisability of dual running sites or of a backup site; • employing multiple Internet service providers; • improving server capacity; • giving priority at time of peak usage to customers who want to enter orders; and • providing alternative means to place orders when Internet access is slow or unavailable. * See Office of Compliance Inspections and Examinations: Examinations of Broker-Dealers Offering Online Trading: Summary of Findings and Recommendations (January 25, 2001)(the "Report"). The Report is available on the SEC’s website at www.sec.gov/news/studies/online.htm 2SECURITY MEASURES Section V of the Report notes that Regulation S-P, which was recently adopted by the SEC, requires firms, in part, to adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. The Report recommends that, in implementing Regulation S-P, firms address the issues of encryption technology, firewalls, passwords, and use of cookies as follows: • Use of Encryption Technology -- firms should evaluate the security of their website and e-mail systems. The Report notes that OCIE observed "many instances" of confidential information being sent without any security measures, including account numbers, passwords, social security numbers, or details of transactions. Of the firms examined, only 20% had written policies on employees sending confidential information via e-mail and only one-third encrypted e-mail, but primarily only incoming e-mail. • Firewalls -- firms should consider implementing a periodic review of their firewall security in light of changes in technology and new security systems. The Report also recommends that firms consider hiring outside entities to periodically review the adequacy of their firewall security. • Passwords -- firms should evaluate the security of their password selection methods. • Use of Cookies -- firms should evaluate whether security would be enhanced by restoring password protection after a period of time or after the customer leaves the firm’s website. EMPLOYEE SUPERVISION Section VI of the Report recommends that firms create written procedures governing employee’s use of the Internet, including in the areas of the use of e-mail, chat rooms, bulletin boards and websites. It further recommends prohibiting employees from communicating with customers outside any channel monitored by the firm. Finally, it recommends that firms consider surveilling the Internet for use of the firm’s name to prevent its misuse by employees. * * * * A copy of OCIE’s Report is attached. Tamara Reed Associate Counsel Attachment 3Attachment (in .pdf format)