SEC National Examination Program Publishes Risk Alert Regarding Its Cybersecurity Initiative

[28050]

April 17, 2014

TO: COMPLIANCE MEMBERS No. 9-14
TECHNOLOGY COMMITTEE No. 5-14
CHIEF INFORMATION SECURITY OFFICER ADV. COMMITTEE RE: SEC NATIONAL EXAMINATION PROGRAM PUBLISHES RISK ALERT REGARDING ITS CYBERSECURITY INITIATIVE

 

The National Examination Program (NEP) of the SEC’s Office of Compliance Inspections and Examinations (OCIE) has published its latest Risk Alert, which discusses OCIE’s “Cybersecurity Initiative.” [1]  While the Risk Alert itself is short (2 pages), attached to it are seven pages of a “sample list of requests for information” that OCIE may use in conducting inspections of registrants relating to cybersecurity issues.  The Risk Alert notes that cybersecurity preparedness is a focus of the NEP’s priorities for 2014.  It also notes that, on March 26, 2014, the SEC sponsored a Cybersecurity Roundtable, at which Chair White underscored the importance of cybersecurity to the U.S. market system and customer data protection. [2]

According to the Risk Alert, “OCIE’s cybersecurity initiative is designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats.”  As part of its initiative, OCIE plans to conduct examinations of more than 50 registered broker-dealers and investment advisers.  Such reviews will focus on the registrant’s cybersecurity governance, identification, and assessment of cybersecurity risks; protection of networks and information; risks associated with remote customer access and funds transfer requests; risks associated with vendors and other third parties; detection of unauthorized activity; and experiences with certain cybersecurity threats.

The Risk Alert concludes by noting that OCIE’s cybersecurity exams are intended, in part, to “help identify areas where the Commission and the industry can work together to protect investors and our capital markets from cybersecurity threats.” [3]

 

Tamara K. Salmon
Senior Associate Counsel

 

endnotes

[1] See Cybersecurity Initiative, OCIE Risk Alert Volume IV, Issue 2 (April 2014), which is available at: http://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix---4.15.14.pdf.

[2]  See Institute Memorandum No. 28003, dated March 28, 2014, for a summary of the SEC’s Roundtable.

[3] Members interested in participating in an Institute committee focused on cybersecurity and other information security issues should ensure that their firm is represented on ICI’s Chief Information Security Officer Advisory Committee.  For more information about this Committee, contact Peter Salmon of the ICI at (202) 326-5869 or salmon@ici.org.