Building on its stated goals for 2014, the U.S. Securities and Exchange Commission (“SEC“) recently issued a Cybersecurity Risk Alert through its Office of Compliance Inspections and Examinations (“OCIE“) that provides important additional information regarding the SEC’s ongoing initiative to assess cybersecurity preparedness in the financial and securities industry subject to its jurisdiction.
As we covered earlier this year (SEC Steps up Review of Cyber Attack & Breach Response Plans) the SEC has moved forcefully in the area of cybersecurity. Last month the SEC held a well-published Cybersecurity Roundtable to address the “compelling need for stronger partnerships between the government and private sector” regarding cyber threats.
According to the Alert, OCIE will be conducting examinations of more than 50 investment advisers and broker-dealers, specifically focusing on the following areas:
The entity’s cybersecurity governance
Identification and assessment of cybersecurity risks
Protection of networks and information
Risks associated with remote customer access and funds transfer requests
Risks associated with vendors and other third parties
Detection of unauthorized activity
Experiences of certain cybersecurity threats
The Alert is intended to highlight risks and issues identified by the OCIE and details the factors that firms should consider to (i) assess their supervisory, compliance and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. OCIE stresses that the enumerated factors are not exhaustive, nor will they constitute a safe harbor. A copy of the OCIE Alert and sample information and document request may be found at:
Sample Information and Document: